Split Severity and Confidence sets of values for Vulnerabilities

Problem to solve

severity and confidence both share the same list of values. This was fine and covering all our use cases until recently when trying to integrate Container Scanning and DAST results in the database.

We need to adapt our model to handle two different sets of values.

Target audience

Sam, the Security Analyst

Further details

Proposal

Move from this unique list:

LEVELS = {
      undefined: 0,
      ignore: 1,
      unknown: 2, 
      experimental: 3,
      low: 4,
      medium: 5,
      high: 6,
      critical: 7
    }

To two distinct lists:

SEVERITY_LEVELS = {
      undefined: 0,
      info: 1, # formerly named `ignore` and used by confidence.
      unknown: 2,
      # experimental: 3, # formerly used by confidence, useless now
      low: 4,
      medium: 5,
      high: 6,
      critical: 7
    }

CONFIDENCE_LEVELS = {
      undefined: 0,
      ignore: 1,
      unknown: 2,
      experimental: 3,
      low: 4,
      medium: 5,
      high: 6,
      confirmed: 7 # formerly named `critical` and used by confidence.
    }

The changes are:

• replace the previous common ignore level with info level for severity.
• disable the experimental level for severity
• replace the previous common critical level with confirmed level for confidence

Luckily, we don't need to migrate existing data as we can map new values with existing ids and keep the ordering meaningful.

Tasks:

• Update AR model enums (could be a good opportunity to move to rails5 enums)
• Update DAST parser methods #severity and #confidence with new values
• Update frontend to handle separate lists and add new values

What does success look like, and how can we measure that?

Severity and Confidence have independent sets of values and allow to integrate DAST reports.

Links / references