-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Calculating Risk in VulnerableCode #1593
Conversation
it would be really great to see a review of this PR soon! |
Set data_source as the header for the exploit table. Squash the migration files into a single file. Add test for exploit-db , metasploit Add a missing migration file Rename resources_and_notes to notes Fix Api test Refactor metasploit , exploitdb , kev improver Rename Kev tab to exploit tab Add support for exploitdb , metasploit, kev Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Refactor the error handling logic in the code. Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Add pipeline_id for ( kev, metasploit, exploit-db ) Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Set data_source as the header for the exploit table. Squash the migration files into a single file. Add test for exploit-db , metasploit Add a missing migration file Rename resources_and_notes to notes Fix Api test Refactor metasploit , exploitdb , kev improver Rename Kev tab to exploit tab Add support for exploitdb , metasploit, kev Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Refactor the error handling logic in the code. Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziadhany <ziadhany2016@gmail.com> Signed-off-by: ziad hany <ziadhany2016@gmail.com>
uncomment all importers Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany this generally looks good to me, can we have some logs for the pipeline and some UI and API screenshots so we can merge it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @ziadhany, some nits for your consideration.
Also, please use LoopProgress
while iterating over large records, as we do here
progress = LoopProgress(total_iterations=fetched_exploit_count, logger=self.log) |
…skPackagePipeline to ComputePackageRiskPipeline. Add a tooltip for risk, and remove any unused imports in the view. Signed-off-by: ziad hany <ziadhany2016@gmail.com>
…ore and remove any extra whitespace in views.py. Signed-off-by: ziad hany <ziadhany2016@gmail.com>
Signed-off-by: ziad hany <ziadhany2016@gmail.com>
@ziadhany please update the changelog. Also, IMO we should use |
Re: "IMO we should use weight_config.yml instead of JSON file for configuration, like we do in our other projects." I am fine with that alternative. |
But why having a config file? IMHO this should just be some Python data in a .py file. This is not meant to be updated by anyone but us for now. |
I think that someone running their own installation of VulnerableCode should be able to adjust the weight assignments based on their own experience. The idea of a config file has been in the design document for quite a while now and we need to move things forward to get this done. |
ok, let's go with .py if that is the simplest |
We should keep local configuration in the plan but custom configuration would add unnecessary complexity at this early stage. |
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Signed-off-by: Keshav Priyadarshi <git@keshav.space>
Thanks @ziadhany, merging this now! |
@ziadhany or @keshav-space could you please post some screenshots here that show the display of the new values in VCIO? Thanks! Also please confirm that all 3 values will be available in the V2 API.
|
@DennisClark We store the value of |
@ziadhany I think your should store the values of |
Looking at https://github.com/aboutcode-org/vulnerablecode/pull/1593/files I see 4 values being computed:
We need to clarify if those values are computed/defined for a Vulnerability entry of for a Package (combination of Vulnerabilities). This matters a lot in the presentation of the data, depending on the context, one may view it through 1 Package, or through 1 vulnerability that affects many Packages. At the moment, only the Now, for |
Yes, we can store a vulnerability risk. However, If we plan to store the risk_score for each vulnerability while also storing and displaying the I suggest storing only the However, if we don't mind some data duplication in exchange for better performance, we could store the following: Please let me know exactly what needs to be done so we can quickly create a pull request for it. |
@ziadhany could you clarify the "data duplication", maybe with an example? I'm not sure to get what would be duplicated here. |
@tdruez We are going to calculate the weighted_severity and exploitability_level for The risk for Vulnerability 1: ( 2 * 3 ) = 6 The package risk is the maximum risk of the vulnerabilities affecting this package, which is If we store the weighted_severity and exploitability_level, there’s no need to store the vulnerability risk (as it would be redundant data). Similarly, there’s no need to store the package risk since it can be easily calculated as the maximum of the vulnerability risks. |
I still don't see the duplication storing the risk_score for each vulnerability.
Could you clarify this? Why is it redundant? |
@tdruez I mean, if we create two columns for and there might be no need for a package risk column since it represents the maximum of the But, as you mentioned, it can be useful for ordering and filtering a vulnerability listing, and it can lead to better performance. |
@ziadhany Alright, we should start by adding |
Alright, I'll create a quick PR for this. |
issue: #1543