Skip to content

Store severity scores #290

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sbs2001 merged 22 commits into from
Feb 9, 2021
Merged

Store severity scores #290

sbs2001 merged 22 commits into from
Feb 9, 2021

Conversation

@sbs2001
Copy link
Collaborator

@sbs2001 sbs2001 commented Nov 29, 2020
edited
Loading

Implementation of #157 (comment)

Fixes #157

  • Add data structures to store severity scores

@sbs2001 sbs2001 requested a review from pombredanne November 29, 2020 10:42
@sbs2001 sbs2001 changed the title Store severity scores [WIP]Store severity scores Nov 29, 2020
pombredanne
pombredanne requested changes Dec 1, 2020
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
See my comments in line for your consideration.

pombredanne
pombredanne reviewed Dec 2, 2020
View reviewed changes
pombredanne
pombredanne reviewed Dec 11, 2020
View reviewed changes
pombredanne
pombredanne reviewed Dec 11, 2020
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my suggested changes for the models.

@pombredanne
Copy link
Member

pombredanne commented Dec 17, 2020

@sbs2001 you wrote:

I thought about #290 (comment) , and I think storing the ScoringSystems in the db would be a better approach

It can but then how scoring systems will we have? At most a couple per data sources, and in reality only a handful. And this is purely static data, and not really usable as data for some query except for the identifier so I am not sure this needs the added ceremony and complexity when stored in the DB. (e.g. you then need fixtures to bootstrap etc.). I see this instead as an enhanced but still very small list of value choices for a single field.

@sbs2001 sbs2001 mentioned this pull request Dec 19, 2020
Closed
@sbs2001 sbs2001 force-pushed the store_severity branch 3 times, most recently from 0118d9e to b24c934 Compare December 24, 2020 09:50
@sbs2001 sbs2001 changed the title [WIP]Store severity scores Store severity scores Dec 24, 2020
@sbs2001 sbs2001 force-pushed the store_severity branch 3 times, most recently from d6b2bee to 9a72e52 Compare January 24, 2021 13:03
@sbs2001 sbs2001 requested a review from pombredanne January 26, 2021 04:20
pombredanne
pombredanne requested changes Jan 27, 2021
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
See my comments inline

@sbs2001 sbs2001 mentioned this pull request Jan 29, 2021
Merged
sbs2001 added a commit to sbs2001/vulnerablecode that referenced this pull request Jan 31, 2021
@sbs2001
Make PR review changes for PR aboutcode-org#290
2656e76 
* Correct typo in severity_systems.py
* Use typo for scoring fields instead of list
  in models.py

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
sbs2001 added a commit to sbs2001/vulnerablecode that referenced this pull request Jan 31, 2021
@sbs2001
Make PR review changes for PR aboutcode-org#290
783292b 
* Correct typo in severity_systems.py

* Use typo for scoring fields instead of list
  in models.py

* Handle absence of bugzilla and RHSA  better in redhat.py

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
pombredanne
pombredanne reviewed Feb 2, 2021
View reviewed changes
pombredanne
pombredanne requested changes Feb 2, 2021
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Almost there ! see my comments inline for your consideration.

@sbs2001
Add db models to store severity scores of vulnerabilities
4fc018f 
 A VulnerabilitySeverity models is added in models.py to
 store severity of vulnerability.

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Add dataclasses and enable to import severity scores
38b456a 
 A dataclass `VulnerabilitySeverity` is added to enable to
 transport of severity scores.

 The logic in importer_runner.py is modified to store, update
 severity scores and link it to reference and vulnerability

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Store severity scores given by NVD.
221bc12 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Store severity scores given by RedHat
52724a5 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Remove VulnerabilityReferenceInserter class
98e4082 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
sbs2001 added 16 commits February 3, 2021 14:19
@sbs2001
Make code review changes
9fc7ec8 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Avoid unnnecessary init of default args in test_nvd.py
b0ae6a8 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Delete vscode config and add it to gitignore
5d22856 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Rename scores to severities in the advisory dataclass
190440b 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Improve order of fields in Reference dataclass
ee7e509 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Store severity scores given by NVD.
9ca5558 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Store severity scores given by RedHat
0887e83 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Misc Data Structure changes
86f2e4f 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Refactor tests and importers to use new data structure field names
e8e6166 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Rebase and resolve conflicts
c9df2f9 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Create and use ScoringSystem objects for handling severity
0312cfb 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Cast score value to string while inserting it into db
641b457 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Change field naming in VulnerabilitySeverity model
be24df0 
scoring_system_identifier is changed to scoring_system

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Make PR review changes for PR aboutcode-org#290
5428b37 
* Correct typo in severity_systems.py

* Use typo for scoring fields instead of list
  in models.py

* Handle absence of bugzilla and RHSA  better in redhat.py

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Add scoring system for vectors
d78cd0f 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001
Fix tests
8d19463 
Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001 sbs2001 requested a review from pombredanne February 3, 2021 11:29
pombredanne
pombredanne reviewed Feb 9, 2021
View reviewed changes
vulnerabilities/importers/redhat.py
bugzilla = advisory_data.get("bugzilla")
if bugzilla:
url = "https://bugzilla.redhat.com/show_bug.cgi?id={}".format(bugzilla)
bugzilla_data = requests.get(f"https://bugzilla.redhat.com/rest/bug/{bugzilla}").json()
Copy link
Member

@pombredanne pombredanne Feb 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just as a side note, this is the kind of JSON we would likely need to store forever as back auditable evidence when we will do this later ... which likely calls for a central place where we fetch things from

pombredanne
pombredanne reviewed Feb 9, 2021
View reviewed changes
vulnerabilities/models.py
max_length=50,
choices=scoring_system_choices,
help_text="Identifier for the scoring system used. Available choices are: {} ".format(
", ".join(
Copy link
Member

@pombredanne pombredanne Feb 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For readability, an intermediate variable would be better for this

pombredanne
pombredanne reviewed Feb 9, 2021
View reviewed changes
vulnerabilities/tests/test_redhat_importer.py
namespace="redhat",
name="bash",
version="4.1.2-48.el6",
qualifiers=OrderedDict(),
Copy link
Member

@pombredanne pombredanne Feb 9, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Feel free to remove OrderedDict from the whole codebase BTW since the dicts are always ordered now.

pombredanne
pombredanne approved these changes Feb 9, 2021
View reviewed changes
Copy link
Member

@pombredanne pombredanne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! let's merge.

@sbs2001 sbs2001 merged commit 1d7b64e into aboutcode-org:main Feb 9, 2021
sbs2001 added a commit to sbs2001/vulnerablecode that referenced this pull request Feb 12, 2021
@sbs2001
Make PR review changes for PR aboutcode-org#290
fd73cfc 
* Correct typo in severity_systems.py

* Use typo for scoring fields instead of list
  in models.py

* Handle absence of bugzilla and RHSA  better in redhat.py

Signed-off-by: Shivam Sandbhor <shivam.sandbhor@gmail.com>
@sbs2001 sbs2001 mentioned this pull request Feb 14, 2021
Closed
@sbs2001 sbs2001 mentioned this pull request Apr 26, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pombredanne pombredanne pombredanne approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Change database schema to accommodate different types of severity indicators

2 participants

@sbs2001 @pombredanne