cravex2-reachability: Collect available SSVC in VulnerableCode

[pombredanne]

Code to collect and store SSVC decision trees in VulnerableCode.

We have some elements of the scoring system already in place, in particular for vulnrichhment, the goal is to systematically store the data as trees to support context-aware decision down the road in DejaCode.

We need further design.

References:

• https://github.com/CERTCC/SSVC
• https://github.com/theparanoids/PrioritizedRiskRemediation
• POST: it is hard to rate the severity of vulnerabiliies www.aboutcode.org#21
• cravex2-reachability: Enhance the vulnerability-ranking system for trees dejacode#366
• Consider SSVC for vulnerabilities prioritization #1457
• fedcode-next: Code, UI and models to curate severity scoring #1719

• vulnerablecode/vulnerabilities/importers/vulnrichment.py

  Line 191 in abf81d5

  Return the ssvc vector and the decision value

• vulnerablecode/vulnerabilities/severity_systems.py

  Line 203 in abf81d5

  class SSVCScoringSystem(ScoringSystem):

[TG1999]

The design is overall like this:

class SSVC:
   vector
   options
   advisory
   decision

In dejacode, we get a package, and it's vulnerable to a known advisory ID, we can send the SSVC's options and decision to the user, and give the reference to SSVC calculator to show how we came up to the decision.

[TG1999]

Here is a design refinement:

Problem:

How shall we store and relate SSVC scores and trees to advisories

Explanation:

We have a vulnrichment importer that today imports SSVC as scores in severity and do not store decision and tree with it, only stores the vector.

What we thought initially was to store SSVC in a separate table and relate it to advisories that share the alias/advisory ID, but the issue is that those SSVC does not come from those advisories with which we are trying to relate those SSVCs, so it would be wrong to show those SSVCs. So what shall we do?

Probable Solutions:

• Store SSVC in the separate table with the original CVE that's coming from the importer, and do not relate it to any advisory

• In UI show some tooltip stating that the SSVC does not come from the advisory source it's coming from this URL and it's just a computed relation. In API document that and also show the original SSVC source data URL

[TG1999]

Support for SSVC in VulnerableCode is completed.

The main tracking PR is:

• Collect SSVC trees #2050

The SSVCs are stored in this model:

• https://github.com/aboutcode-org/vulnerablecode/pull/2050/changes#diff-7f9f2c92e7163b06d21fa139369d75caed6561d0368b60ea2516cece0220eb5bR3419

• We display the SSVC as vector and a crude tree in the UI:

• We return the SSVC as vector and tree data in the API: