-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple remediations per observations #1199
Comments
I see what you mean, but have to think about, what the best solution is. I don't think it's the status "Risk accepted", that means it is as it is, I cannot do something at the moment and accept the risk that is involved with the vulnerability. We might need a list of remediations with different categories, that are editable for imported vulnerabilities. They would need to be concatenated for OpenVEX. |
What we could do:
Does that makes sense, @dervoeti ? |
Sounds good in general. The question remains if we need a new status "Affected" or something like that. And then only display the "remediations" section in the assessment dialog when the status is "Affected"? |
I just checked, maybe https://docs.djangoproject.com/en/4.2/ref/models/fields/#django.db.models.JSONField could be used for this:
I'll try to draft something with this. |
Please let's have a chat about it before you start. I am not sure what the right way is to deal with the issue and would like to understand your idea better. |
We're currently thinking about how to solve the following scenarios:
mitigation
andworkaround
.vendor_fix
. In theory this could automatically be determined, if a newer version is present in SecObserve that does not have this vulnerability (that requires some form of version comparison though). Or the user would manually specify that version when selectingvendor_fix
.Things to consider:
remediation
currently depends on the SecObserverecommendation
. It looks like you can't specify arecommendation
for imported observations.vendor_fix
andworkaround
, so people can choose whether they want to upgrade or implement the suggested workaround).I'm not sure what's the best way to solve this, this is quite complex. Perhaps users could optionally provide a list of remediations when selecting "Risk accepted" in the assessment dialog. Happy to implement this, but I wanted to discuss the best way to do it first.
Originally posted by @dervoeti in #1106 (comment)
The text was updated successfully, but these errors were encountered: