feat: support multple cvssBelow thesholds per version (#2563) #8024
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
boring-cyborg
bot
added
core
|
If there are any additional changes requested or feedback on this, I'd be happy to update the changes to reflect those. |
|
I'll need to re-review before I merge - but this will likely be included in the next minor release. I think there might be one more point release before I merge the three feature PRs. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Change
Implements the proposed changes in #2563. Adds 3 cvssVnBelow thresholds in the suppression configuration, one for each version (n=2, 3 and 4). The suppression logic is updated so that a vulnerability will only be suppressed if all the version scores are below their cvssVnBelow values. For existing suppressions using cvssBelow nothing changes, only when cvssVnBelow elements are included in the suppression with the new functionality be applied.
For example, in the existing implementation if a vulnerability has a scores of say 5 (V2) and 9 (V3) and cvssBelow is set to 7. The vulnerability is suppressed due to the V2 score of 5. This new functionality will allow a suppression to be configured with cvssV2Below=7, cvssV3Below=7, and then the same vulnerability will not get suppressed since all the cvssBelow checks do not agree to suppress.
Related issues
Fixes #2563
Have test cases been added to cover the new functionality?
yes