Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support CVSS3 scores in rendered annotation #26

Merged
merged 6 commits into from
Nov 30, 2023
Merged

feat: support CVSS3 scores in rendered annotation #26

merged 6 commits into from
Nov 30, 2023

Conversation

jamestelfer
Copy link
Member

@jamestelfer jamestelfer commented Nov 23, 2023
edited
Loading

AWS has added support for CVSS3 scores and vectors in scan findings. These are included by preference, and CVSS2 scores are becoming less common, leading to lots of gaps in the detailed data that is rendered.

CVSS3 scores are now shown preferentially, only falling back to CVSS2 when a CVSS3 score is not present. A CVSS2 score will have "(*CVSS2)" added to the Score column to highlight that it is not directly comparable with other results in the table.

Based on the updated rendering types implemented in #25.

@jamestelfer jamestelfer changed the base branch from main to add-ignore-file November 23, 2023 12:42
@jamestelfer jamestelfer changed the title Support-cvss3 feat: support CVSS3 scores in rendered annotation Nov 23, 2023
@jamestelfer jamestelfer force-pushed the support-cvss3 branch 2 times, most recently from c692b11 to 046dfc9 Compare November 23, 2023 22:42
@jamestelfer
Copy link
Member Author

Example output from a build

image

ctgardner
ctgardner reviewed Nov 24, 2023
View reviewed changes
src/finding/summary.go Show resolved Hide resolved
src/finding/summary.go Show resolved Hide resolved
src/finding/summary.go Outdated Show resolved Hide resolved
src/finding/summary.go Show resolved Hide resolved
@jamestelfer jamestelfer mentioned this pull request Nov 27, 2023
Merged
ctgardner
ctgardner previously approved these changes Nov 27, 2023
View reviewed changes
Copy link
Contributor

@ctgardner ctgardner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. Perhaps some types could've been used to organise it better

@jamestelfer
Copy link
Member Author

Perhaps some types could've been used to organise it better

What sort of types?

Base automatically changed from add-ignore-file to main November 29, 2023 22:33
@jamestelfer jamestelfer dismissed ctgardner’s stale review November 29, 2023 22:33

The base branch was changed.

jamestelfer and others added 6 commits November 30, 2023 09:35
@jamestelfer
fix: use new CVE site links
7e45b51 
The mitre.org site is obsolescent, being replaced by the cve.org
site with a new format. Switch over now: when AWS switches links they
will continue to work.

Also sometimes AWS is publishing links for advisories that aren't valid.
Try to detect this and push to a GH vulnerability search instead.
@jamestelfer
refactor: extract CVSS score to type
8bcb545 
Allows for easier adoption of CVSS3 score display.
@jamestelfer
fix: display CVSS2 data in single column
ff0ef78 
Paves the way for the arrival of CVSS3 scores
@jamestelfer
feat: add CVSS3 scores to report
16150f8 
CVSS3 scores are now shown preferentially, only falling back to CVSS2
when a CVSS3 score is not present.
@jamestelfer
docs: add output examples to readme
4268b39
@jamestelfer @ctgardner
fix: update URL creation based on feedback
7f19863 
Co-authored-by: Callum Gardner <callum.gardner@cultureamp.com>
@jamestelfer
Copy link
Member Author

Rebased on main after the upstream branch was merged.

@jamestelfer jamestelfer merged commit d2634fc into main Nov 30, 2023
7 checks passed
@jamestelfer jamestelfer deleted the support-cvss3 branch November 30, 2023 00:42
@jamestelfer
Copy link
Member Author

Many thanks!

@jamestelfer jamestelfer mentioned this pull request Mar 15, 2024
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ctgardner ctgardner ctgardner approved these changes

@therealvio therealvio Awaiting requested review from therealvio

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jamestelfer @ctgardner @therealvio