Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add exposure_factor field to the ProductItemPurpose model #102 #218

Merged
merged 31 commits into from
Dec 27, 2024
Merged

Add exposure_factor field to the ProductItemPurpose model #102 #218

merged 31 commits into from
Dec 27, 2024

Conversation

tdruez
Copy link
Contributor

@tdruez tdruez commented Dec 19, 2024
edited
Loading

#102

The weighted_risk_score risk factor is updated when:

  • A ProductPackage is added/edited
  • A ProductItemPurpose is updated
  • Using fetchvulnerabilities management command
  • New/updated Vulnerability affecting a package (risk_score is changed)

@tdruez
Copy link
Contributor Author

tdruez commented Dec 20, 2024

@DennisClark The new weighted_risk_score field and logic have been implemented.

Now, I had to rework the Vulnerabilities tab putting the packages as the first column to make sense of the new computed risk value since that value applies to a ProductPackage.

Looking from a Vulnerability records perspective does not make sense if we want to promote the aggregate risk value that lives at the ProductPackage level.

Anyway, the code is not very stable yet but your input is needed at this stage.

@DennisClark
Copy link
Member

@tdruez Testing in progress. The enhancements to the Product item purposes are good, except that when I updated the Core entry in Staging Starship it took a really long time (sorry I did not time it, since it happened kind of unexpectedly), possibly as much as 10 minutes, to complete, and it looked like the application was hung. I assume that it was updating the 2352 product package relationships in that dataspace. Anyway, it completed OK, but we might want some kind of message to the user before starting the updates.

@DennisClark
Copy link
Member

@tdruez The risk weighted by the exposure factor of the product item purpose appears to be working fine in Cargo Manager 2.9.5 of Staging Starship. I updated a number of Purpose fields (they were all defaulted to Core at first) and the impact on the vulnerabilities tab worked just fine; in fact, it reduced the risk below the threshold (as it should) and I needed to toggle to all of the vulnerabilities to see the recalculated ones that were significantly lowered.

I appreciate the UI showing the base risk on the vulnerability and the weighted risk right next to it; that makes a lot of sense.

Since there is a lot of empty space in the Package fields of the Vulnerabilities tab, perhaps we could show the Purpose as a colored label in that field? That would be a rather nice bit of info to help the analyst reviewing the vulnerabilities.

@DennisClark
Copy link
Member

Hi @tdruez As long as you are working on the Vulnerabilities tab, perhaps you can think about a way to address a not-so-good side effect of the risk threshold feature. If all of the vulnerabilities associated with the product are below the threshold it disables the Vulnerabilities tab, and the only way to activate it is to edit the Product risk threshold to a value low enough to see the hidden ones and save that change. So not really a bug, but a usability issue. Perhaps it would be better to keep the Vulnerabilities tab enabled and maybe put a 0 (zero) in the tab label. Please think about a good way to handle this, thanks.

@tdruez
Add purpose, exposure_factor, and is_deployed to the tab #102
c61de35 
Signed-off-by: tdruez <[email protected]>
@tdruez
Display the vulnerable_package_count in Tab header #102
407b166 
Signed-off-by: tdruez <[email protected]>
@tdruez
Do not disable Tab when risk threshold is enabled #102
775cad9 
Signed-off-by: tdruez <[email protected]>
@tdruez
Display vulnerability icon in Product list #102
14016f7 
Signed-off-by: tdruez <[email protected]>
@tdruez
Improve query performances of ProductTabVulnerabilitiesView #102
693863b 
Signed-off-by: tdruez <[email protected]>
@tdruez
Implement a update_weighted_risk_score for performances #102
91dc7b0 
Signed-off-by: tdruez <[email protected]>
@tdruez
Fix the update_weighted_risk_score using Subquery #102
ac48923 
Signed-off-by: tdruez <[email protected]>
@tdruez
Refine the compute_weighted_risk_score method #102
1e415d4 
Signed-off-by: tdruez <[email protected]>
@tdruez
Copy link
Contributor Author

tdruez commented Dec 23, 2024

@DennisClark

The enhancements to the Product item purposes are good, except that
when I updated the Core entry in Staging Starship it took a really long time

The code was not yet optimize and each weighted_risk_score was computed and saved one by one.
I have converted the logic into a SQL UPDATE statement, where everything is computed and updated directly at the database level.
This should now be quite fast.

Since there is a lot of empty space in the Package fields of the Vulnerabilities tab, perhaps we could
show the Purpose as a colored label in that field?

I've added a few values in that area: the purpose, the exposure factor, and the "is deployed" value.
That should help to provide some extra context while looking at vulnerabilties.

Perhaps it would be better to keep the Vulnerabilities tab enabled.

The vulnerabilies tab will now stay enabled in case the threshold return 0 vulnerabilities.
The tab stay disabled in case no vulnerabilities are affecting the product at all, regardless of the risk threshold.

Couple extra changes:

  • Added the vulnerability icon in Product list view. A "Is Vulnerable" filter is also available.
  • The count in the Vulnerability tab was improve to include the count of affected packages and the count of unique vulnerabilities.
    Note that those count reflect the current risk threshold.

@DennisClark
Copy link
Member

@tdruez Everything working fine as you described. The new fields on the package field are very nice additions, thanks. No problems found. Unless you are planning even more enhancements, this feature is ready I think!

@tdruez
Refine model, migration, and fix unit tests #102
0df06da 
Signed-off-by: tdruez <[email protected]>
@tdruez
Fix unit tests #102
e26fdfe 
Signed-off-by: tdruez <[email protected]>
@tdruez
Fix unit tests #102
c333d91 
Signed-off-by: tdruez <[email protected]>
@tdruez
Update raw SQL for ProductInventoryItem #102
36d714e 
Signed-off-by: tdruez <[email protected]>
@tdruez
Fix unit tests #102
17ba3f3 
Signed-off-by: tdruez <[email protected]>
@tdruez
Update help text and add docstring #102
08f801c 
Signed-off-by: tdruez <[email protected]>
@tdruez
Add CHANGELOG content #102
fda4c5a 
Signed-off-by: tdruez <[email protected]>
@tdruez
Update documentation screenshots to new UI rendering #102
9ecd9a0 
Signed-off-by: tdruez <[email protected]>
@tdruez
Rework the vulnerability_analysis_form_view #102
145386c 
Signed-off-by: tdruez <[email protected]>
@tdruez tdruez merged commit e9fb4aa into main Dec 27, 2024
3 checks passed
@tdruez tdruez deleted the 102-exposure-factor branch December 27, 2024 19:18
This was referenced Dec 27, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tdruez @DennisClark