Spike: What success metrics for CVS on advisory DB change?
Topic to Evaluate
What metrics do we need to measure the success of Dependency Scanning: CVS Trigger scans on Advis... (&9534 - closed)?
Tasks to Evaluate
-
Identify success metrics for CVS on advisory DB change. -
Prioritize these metrics. -
Create issues.
Outcome
Success metrics for DS CVS on advisory DB change:
- Count of the vulnerabilities created. #422964 (comment 1526481604)
- Count scans on advisory ingestion.
- Time from adding an advisory to the advisory DB (GLAD) to creating vulnerabilities. #422964 (comment 1538990684)
We might also consider:
- Compare age of the advisory publication date to age of the vulnerability appearing in a project. #422964 (comment 1535251291)
NOTE: We can't directly rely on the time that passed b/w the age of the advisory publication date
and the age of the vulnerability appearing in a project
, because advisories might be ingested long after being published. #422964 (comment 1536675335)
Some success metrics for further consideration (not in scope for MVC):
- Percentage of vulnerabilities created upon advisory DB changes compared to vulnerabilities created from a pipeline scan. #422964 (comment 1526481604)
- Time-based metric to emphasize the improved efficiency of CVS. How much more quickly do teams become aware of new vulnerability data? For any newly identified vulnerability, what % of projects contain the specified component? #422964 (comment 1534660212)
Edited by Fabien Catteau