Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

vulnerabilities: Improve the representation of the severity and its handling #5597

Open
fviernau opened this issue Jul 21, 2022 · 1 comment
Open

vulnerabilities: Improve the representation of the severity and its handling #5597

fviernau opened this issue Jul 21, 2022 · 1 comment
Assignees
@fviernau
Labels
advisor About the advisor tool enhancement Issues that are considered to be enhancements evaluator About the evaluator tool model About the data model

Comments

@fviernau
Copy link
Member

fviernau commented Jul 21, 2022
edited
Loading

advisor data model

The data model of the severity of vulnerabilities aka. VulnerabilityReferenceis not very strictly typed.
So, it provides too much flexibility which introduces unnecessary complexity and the handling in multiple places is not as straight forward as it could be. A more stricter typing would help, e.g.:

  1. Introduce an enum for the known scoring systems
  2. A severity should become a tuple (scoring-system, value) whereas value is a lossless representation of
    the severity, e.g. in CVSS this would be the vector (not the score).
  3. Have a UNKNOWN scoring system, for which the value is free text.
  4. For each scoring system, have a function getScore() (and maybe getScore range) for a number representation and getTextValue() for a textual representation.

Question: Should we use a severity list (like OSV does) to allow multiple representation of (the same) severity in different scoring systems, or stick to a single one? (I'd slightly tend towards a list to allow for a straight forward / non-opinionated mapping from the OSV data model)

evaluator / policy rules

In the evaluator the use case is to take vulnerabilities from the advisor and create violations if any.
The relevant part / question in this context is how to best map the severity tuples mentioned above, to
the severity of a rule violation. I propose the following

  1. The mapping from the advisor vulnerability severity to the severity of the corresponding rule violation should be completely user configurable. Therefore this should happen in the policy rules itself. However, ORT could provide a reasonable default implementation as a function of the rules API or alternatively as a function in the default or example rules.
  2. For the rule violations I believe mapping to ORT's severity (ERROR, WARNING, HINT) is fine but that should be agreed upon upfront.

evaluated model

Fix the conversion from severity to text.
@fviernau fviernau added enhancement Issues that are considered to be enhancements advisor About the advisor tool evaluator About the evaluator tool model About the data model labels Jul 21, 2022
@fviernau fviernau self-assigned this Jul 21, 2022
@fviernau fviernau mentioned this issue Jul 21, 2022
Closed
@sschuberth
Copy link
Member

This relates to addressing the issue mentioned here. The idea that I mentioned in a community meeting was to refactor the CVSS classes into a sealed class hierarchy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fviernau fviernau

Labels
advisor About the advisor tool enhancement Issues that are considered to be enhancements evaluator About the evaluator tool model About the data model
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sschuberth @fviernau