Surface package status for packages in UI. #461
Comments
What the current endpoint is generating is ADVISORIES and not VULNERABILITIES which IMO is not what we want. This is a hard requirement for compatibility with the old Trustification. The image below belong to RHTPA and it renders VULNERABILITIES not Advisories
|
|
A vulnerability is attached by way of an advisory. The vulns are there. Under the advisory that claims they are relevant. |
|
@bobmcwhirter
These 2 things are part of the Famous three Use Cases that are the Core of Trustification's design.
If I look at the {
"uuid": "47ed949e-f58b-5b81-becf-74f846748dd7",
"purl": "pkg://rpm/redhat/[email protected]?arch=x86_64&epoch=2",
"version": {
"uuid": "5d1c1035-489d-5dbd-957b-319d10c8a47c",
"purl": "pkg://rpm/redhat/[email protected]",
"version": "16.2.10-266.el8cp"
},
"base": {
"uuid": "acea5b6b-f001-54c8-a4f4-7c6a56cc70d9",
"purl": "pkg://rpm/redhat/rbd-nbd-debuginfo"
},
"advisories": [
{
"uuid": "urn:uuid:2df72cd6-e5ce-4b96-9e1b-1a6825efa7c6",
"identifier": "RHSA-2024:4118",
"hashes": [
"sha256:f68ee4b0684ce2f2e352422ddaa568a3ae0f719be4f95d9628c0d2464b34b791"
],
"issuer": {
"id": 1,
"name": "Red Hat Product Security",
"cpe_key": null,
"website": null
},
"published": "2024-06-26T10:05:24Z",
"modified": "2024-06-26T16:25:08Z",
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 5.3 security, bug fix, and enhancement update",
"status": [
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
}
]
},
{
"uuid": "urn:uuid:704fc1ce-1ab4-456c-b0e4-114d41592d45",
"identifier": "RHSA-2024:3925",
"hashes": [
"sha256:f297db08237534fa30b029f15e94b860239f3ced1594075393a60e4f66b67ed4"
],
"issuer": {
"id": 1,
"name": "Red Hat Product Security",
"cpe_key": null,
"website": null
},
"published": "2024-06-14T13:20:25Z",
"modified": "2024-06-14T15:19:18Z",
"title": "Red Hat Security Advisory: Red Hat Ceph Storage 7.1 security, enhancements, and bug fix update",
"status": [
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2023-3128"
},
"status": "unknown"
}
]
},
{
"uuid": "urn:uuid:9da85bc5-01e6-48c0-bec8-fa5a5a119383",
"identifier": "RHBA-2020:4144",
"hashes": [
"sha256:26c766434eb28bebd4abe2c267d6d9c1e0300fe620e6d383daff71d1b629aae7"
],
"issuer": {
"id": 1,
"name": "Red Hat Product Security",
"cpe_key": null,
"website": null
},
"published": "2020-09-30T17:27:12Z",
"modified": "2024-06-11T21:46:26Z",
"title": "Red Hat Bug Fix Advisory: Red Hat Ceph Storage 4.1 Bug Fix update",
"status": [
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
},
{
"vulnerability": {
"identifier": "CVE-2020-1759"
},
"status": "unknown"
}
]
}
]
}From the JSON Above you can clearly see the identifier |
|
What docs Didja ingest so I can repro? |
|
This is what I did:
|
|
Good to know. I've been working with single files from test-data and none were CSAF. Definitely a hole in my testing. |
|
@bobmcwhirter I managed to render the vulnerabilities in the UI in this PR trustification/trustify-ui#81, see image below:
What I was expecting to have is "Identifier and Severity" but so far we only have "Identifier and status (I don't know what status mean)" {
"advisories": [
{
"status": [
{
"vulnerability": {
"identifier": "CVE-2023-39325"
},
"status": "unknown"
},Could we add the "severity" next to each "identifier"? |
|
You betcha! |
|
So, one thing to consider. There is no direct relationship between packages and vulnerabilities. It requires an advisory in-between to assert a connection, hence the deeper tree.
|
Added in d8ca36d
From
/api/v1/package/{uuid}or/api/v1/package/version/{uuid}Packages (and package/version) now include advisories and status, which may include stuff such as:
The text was updated successfully, but these errors were encountered: