Provide Severity levels for vulnerabilities found by Gemnasium

Problem to solve

Vulnerabilities reported by Gemnasium don't have a severity. Not only this information is important to users, but it's also very much needed to sort the vulnerabilities in the Security Dashboard.

The YAML files of gemnasium-db should contain a severity field or a field from which the severity can be calculated, to be propagated by gemnasium to the GitLab backend via the Dependency Scanning report.

Proposal

Add CVSS vectors (v2 and v3) to the YAML schema of gemnasium-db and make gemnasium convert these to a severity when generating the report.

Both CVSS vectors are optional, and CVSS v3 is preferred.

The severity of a vulnerability reported by Gemnasium is:

• the textual representation of the CVSS v3 base score, if defined
• else the textual representation of the CVSS v2 base score, if defined
• else Unknown

Implementation plan

• In the YAML schema of gemnasium-db, add two optional text fields corresponding to the CVSS v2 and v3 vectors; gitlab-org/security-products/gemnasium-db!430 (diffs)
• In adbcurate, collect the CVSS vectors when importing advisories from NVD: https://gitlab.com/gitlab-org/security-products/advisory-db-curation-tools/issues/16
• Update gemnasium
  • update the Advisory Go struct to load the CVSS vectors
  • parse cvss_v2 and calculate base score, possibly using https://github.com/umisama/go-cvss
  • parse cvss_v3 and calculate base score, possibly using https://github.com/bunji2/cvssv3
  • make the convert package of Gemnasium convert the CVSS vectors into textual value; see section 5. Qualitative Severity Rating Scale
  • release a new version of gemnasium
  • update gemnasium dependency in gemnasium-maven and release new version
    • gitlab-org/security-products/analyzers/gemnasium-maven!47 (merged)
    • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-maven/pipelines/136620755
  • update gemnasium dependency in gemnasium-python and release new version
    • gitlab-org/security-products/analyzers/gemnasium-python!53 (merged)
    • https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium-python/pipelines/136622500
  • update all gemnasium test projects
    • no_dind-FREEZE branch
      • js-yarn
        • gitlab-org/security-products/tests/js-yarn!48 (merged)
      • ruby-bundler
        • gitlab-org/security-products/tests/ruby-bundler!82 (merged)
      • ruby-bundler-rails
        • gitlab-org/security-products/tests/ruby-bundler-rails!23 (merged)
      • js-npm
        • gitlab-org/security-products/tests/js-npm!63 (merged)
      • php-composer
        • gitlab-org/security-products/tests/php-composer!31 (merged)
    • master branch
      • js-yarn
        • gitlab-org/security-products/tests/js-yarn!50 (merged)
      • ruby-bundler
        • gitlab-org/security-products/tests/ruby-bundler!90 (merged)
      • js-npm
        • gitlab-org/security-products/tests/js-npm!65 (merged)
      • php-composer
        • gitlab-org/security-products/tests/php-composer!32 (merged)
      • ruby-bundler_js-yarn
        • gitlab-org/security-products/tests/ruby-bundler_js-yarn!13 (merged)
      • ruby-bundler-rails
        • gitlab-org/security-products/tests/ruby-bundler-rails!20 (merged)
      • go-modules
        • gitlab-org/security-products/tests/go-modules!25 (merged)
  • update all gemnasium-maven test projects
    • no_dind-FREEZE branch
      • java-maven
        • gitlab-org/security-products/tests/java-maven!63 (merged)
      • scala-sbt
        • gitlab-org/security-products/tests/scala-sbt!16 (merged)
      • java-gradle
        • gitlab-org/security-products/tests/java-gradle!19 (merged)
      • java-gradle-multimodules
        • gitlab-org/security-products/tests/java-gradle-multimodules!7 (merged)
      • java-maven-multimodules
        • gitlab-org/security-products/tests/java-maven-multimodules!40 (merged)
    • master branch
      • java-maven
        • gitlab-org/security-products/tests/java-maven!64 (merged)
      • scala-sbt
        • gitlab-org/security-products/tests/scala-sbt!17 (merged)
      • java-gradle
        • gitlab-org/security-products/tests/java-gradle!20 (merged)
      • java-gradle-multimodules
        • gitlab-org/security-products/tests/java-gradle-multimodules!8 (merged)
      • java-maven-multimodules
        • gitlab-org/security-products/tests/java-maven-multimodules!44 (merged)
  • update all gemnasium-python test projects
    • no_dind-FREEZE branch
      • python-pip
        • gitlab-org/security-products/tests/python-pip!81 (merged)
      • python-pipenv
        • gitlab-org/security-products/tests/python-pipenv!29 (merged)
    • master branch
      • python-pip
        • gitlab-org/security-products/tests/python-pip!88 (merged)
      • python-pipenv
        • gitlab-org/security-products/tests/python-pipenv!30 (merged)

Release Post

• gitlab-com/www-gitlab-com!45357 (merged)

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.