Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRAVEX: Vulnerability Lookup and base app #94

Closed
4 tasks done
pombredanne opened this issue May 8, 2024 · 9 comments
Closed
4 tasks done

CRAVEX: Vulnerability Lookup and base app #94

pombredanne opened this issue May 8, 2024 · 9 comments
Assignees
@tdruez @DennisClark
Labels
design needed Design details needed to complete the issue HighPriority High Priority integration Integration with other applications major Significant level-of-effort vulnerabilities Vulnerability Management

Comments

@pombredanne
Copy link
Member

pombredanne commented May 8, 2024
edited
Loading

We should create a base Vulnerability application management in DejaCode with these features:

  • CRAVEX: Create a scheduler for vulnerability lookups that will lookup in VCIO
  • CRAVEX: Store vulnerability lookups in a set of database models.

Also these related VCIO issues:
@pombredanne pombredanne converted this from a draft issue May 8, 2024
@DennisClark
Copy link
Member

@pombredanne I would like to assign this one to Ziad but cannot see him on the Assignees list. Any suggestions please?

@DennisClark DennisClark self-assigned this May 14, 2024
@DennisClark
Copy link
Member

See https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/models.py and design the appropriate mapping to DejaCode.

@DennisClark
Copy link
Member

DennisClark commented Jun 19, 2024
edited
Loading

A "scheduler" is a fairly new concept/feature for DejaCode. We need to determine if there is a usable Django library to facilitate creating such a feature. As a working start, let's consider a new section of the DejaCode admin Dashboard, right under the "Imports" section, called "Scheduler" (or similar), that has an initial option for "Refresh Vulnerabilities" (or similar) where the admin user can define the frequency and scope of the vulnerability refresh process to be run on an automatic basis.

Assumption: the basic scope of the vulnerability lookup is to find vulnerabilities associated with Packages and Components currently defined in the relevant DejaCode dataspace. This could be further refined to include only those that are assigned to a Product in that dataspace.

The scheduler should also include a task to update Components defined in the relevant dataspace with CPE values as those become available.

@DennisClark DennisClark added vulnerabilities Vulnerability Management design needed Design details needed to complete the issue integration Integration with other applications major Significant level-of-effort HighPriority High Priority labels Jun 19, 2024
@DennisClark
Copy link
Member

DennisClark commented Jun 19, 2024
edited
Loading

The proposed vulnerability model in DejaCode should be designed to support queries such as:

  • a filter-enabled list of all the Versions of a Component Name currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
  • a filter-enabled list of all the Versions of a Package currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
  • a filter-enabled list of all the Versions of a Product currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
  • for a Vulnerability (using the same ID as VulnerableCode), provide a filter-enabled list of all packages or components in the relevant dataspace that are associated with it
  • for a Vulnerability (using the same ID as VulnerableCode), provide a filter-enabled list of all products in the relevant dataspace that are impacted by it
  • and others to be identified of course

This was referenced Jun 24, 2024
Closed
Closed
tdruez added a commit that referenced this issue Jul 4, 2024
@tdruez
Base implementation of a Vulnerability models #94
5d5319a 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jul 4, 2024
@tdruez
Refactor BaseService to take a dataspace in place of user #94
7cb82a7 
This change is required to call integration in the context of a scheduler where only Dataspace instances are available, not a user.

Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jul 4, 2024
@tdruez
Refactor BaseService to take a dataspace in place of user #94 (#142)
a1ce0cf 
* Refactor BaseService to take a dataspace in place of user #94

This change is required to call integration in the context of a scheduler where only Dataspace instances are available, not a user.

Signed-off-by: tdruez <tdruez@nexb.com>

* Fix an issue with inject_scan_data on Component instances

Signed-off-by: tdruez <tdruez@nexb.com>

---------

Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jul 12, 2024
@tdruez
Add management command to fetch all vulnerabilities of a Dataspace #94
45a5cbc 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jul 12, 2024
@tdruez
Refactor the views using the Vulnerability instead of API calls #94
678bcb9 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Jul 15, 2024
@tdruez
Consolidate migrations #94
2c90ec1 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez tdruez mentioned this issue Aug 7, 2024
Merged
7 tasks
tdruez added a commit that referenced this issue Aug 12, 2024
@tdruez
Add setup for the RQ scheduler #94
de2f198 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 12, 2024
@tdruez
Add vulnerability update task to be executed for the RQ scheduler #94
c14fa60 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 12, 2024
@tdruez
Store and display the latest vulnerability update in admin #94
8de15c4 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 12, 2024
@tdruez
Add part of support for reporting on Vulnerability #94
9a3a8fc 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 13, 2024
@tdruez
Update the ProductTabInventoryView to use the vulnerability fields #94
e8a0b14 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 13, 2024
@tdruez
Move the m2m field at the Component/Package level #94
8f32b5a 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 13, 2024
@tdruez
Display the Vulnerability count in tab_hierarchy #94
a1cb58e 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez
Copy link
Contributor

tdruez commented Aug 20, 2024

@pombredanne @tushar Goel
Could you tell me the PURL types from the list that are not supported (no data available) by VCIO? Excluding those will reduce the number of "useless" requests to the API.
['gem', 'autotools', 'sourceforge', 'bitbucket', 'rpm', 'gitlab', 'cran', 'windows-program', 'docker', 'bower', 'nuget', 'generic', 'cargo', 'npm', 'deb', 'golang', 'maven', 'composer', 'pypi', 'hackage', 'unknown', 'rubygems', 'about', 'github']

Well, for example we have ±300,000 sourceforge PURL in the nexB Dataspace, doing lookup for those is a total waste of time and resources.

More context: For ±133,000 packages in the nexB Dataspace, it currently takes about 1h and 2,674 HTTP requests made to the VCIO API.

The result is only 1,235 vulnerabilities fetched and created.
Seems like there's a lot of wasted time and resources with our current approach.

tdruez added a commit that referenced this issue Aug 20, 2024
@tdruez
Enhance the setupcron command and set proper timeout #94
2c1f8a3 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 20, 2024
@tdruez
Start 2 workers using rqworker-pool #94
a9a3b02 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 20, 2024
@tdruez
Add unit test for fetch_vulnerabilities triggers #94
5f936d9 
Signed-off-by: tdruez <tdruez@nexb.com>
This was referenced Aug 20, 2024
Closed
Closed
@pombredanne
Copy link
Member Author

pombredanne commented Aug 20, 2024
edited
Loading

@tdruez re: #94 (comment)

I suggest these progressive steps:

  • use a hardcoded list of distinct existing PURL types in VCIO
  • expose this list of existing PURL types as an endpoint
  • expose a new special endpoint that would provide a highly-compressed data structure to download quickly from VCIO and that you can query to know if a PURL may exist in VCIO
    • this could be an automaton (ahocorasick or FST) leveraging the fact that many PURL share a common prefix, or a bloom filter.
    • it would be best cached for a few hours and should come withe client code to use it to filter a (long) list of PURLs to remove these that surely do not exists @ VCIO

This is tracked in this issue:

@pombredanne pombredanne mentioned this issue Aug 20, 2024
Closed
tdruez added a commit that referenced this issue Aug 20, 2024
@tdruez
Fetch vulnerabilities post Product imports #94
b8fb7f5 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 20, 2024
@tdruez
Display the latest data update in the integration status page #94
544120a 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez
Copy link
Contributor

tdruez commented Aug 20, 2024

@pombredanne Thanks, this sounds like it will require some work to make this happen.

In the short term, could VCIO expose a new "action" on the package endpoint to get this list of supported types? (Should be a very small and fast query)
On the DejaCode side, the process could start with fetching the available types to get a QuerySet limited to those and drastically reduce the number a queries.

tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Add changelog entry #94
3de2f31 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Merge VulnerableObjectMixin into VulnerabilityMixin #94
b65526e 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Make the DEJACODE_VULNERABILITIES_CRON setting #94
e39dd2c 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Add missing db index on the Package model #94
9a5cc96 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Limit the QS to types supported by VulnerableCode #94
9944ea8 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Renaming for consistency and add unit tests #94
251961f 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Add unit tests for VulnerabilityMixin #94
8b6f449 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Add unit tests #94
056e374 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Add unit tests for the fetchvulnerabilities management command #94
39fe7cf 
Signed-off-by: tdruez <tdruez@nexb.com>
tdruez added a commit that referenced this issue Aug 21, 2024
@tdruez
Base implementation of a Vulnerability models #94 (#148)
60618c4 
Signed-off-by: tdruez <tdruez@nexb.com>
@tdruez
Copy link
Contributor

tdruez commented Aug 21, 2024

#148 merged, full implementation details available in the PR.

@tdruez tdruez closed this as completed Aug 21, 2024
@DennisClark
Copy link
Member

DennisClark commented Aug 22, 2024
edited
Loading

PR #148 provides the following CRAVEX-related functionality:

  • It introduces a new Vulnerability model and all the code logic to fetch and create Vulnerability records and assign those to Package/Component through ManyToMany relationships.
  • A new fetchvulnerabilities management command is available to fetch all the relevant data from VulnerableCode for a given Dataspace.
  • A scheduler was added to run the vulnerability data update daily (we can discuss and adjust this to the most suitable value, depending on how often VCIO is updated for example).
  • The latest vulnerability data refresh date is displayed in the Admin dashboard in a new "Data updates" section in the botton right corner.
  • The Package/Component views that display vulnerability information (icon or tab) are now using the data from the Vulnerability model in place of calling the VulnerableCode API on each request. This result into much better performances as we do not depend on the VulnerableCode performances to render the DejaCode view anymore. Also, this will make Vulnerability data available in the Reporting system.
  • A filter is available next to the "Identifier" column header in the Package list view, and Product tabs.
  • The vulnerability icon is displayed next to the Package/Component identifier in the Product views: "Inventory", "Hierarchy", "Dependencies" tabs.
  • The vulnerability data is available in Reporting either through the is_vulnerable property on Package/Component column template or going through the full affected_by_vulnerabilities m2m field. This is available in both Query and ColumnTemplate. Query example: Package > affected_by_vulnerabilities > IS_NULL = False

Scheduler:

TODO:

@pombredanne pombredanne moved this to Done in 03-CRAVEX Oct 4, 2024
@pombredanne pombredanne moved this from Done to Validated in 03-CRAVEX Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tdruez tdruez

@DennisClark DennisClark

Labels
design needed Design details needed to complete the issue HighPriority High Priority integration Integration with other applications major Significant level-of-effort vulnerabilities Vulnerability Management
Projects
03-CRAVEX
Status: Validated
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tdruez @pombredanne @DennisClark