Split Severity and Confidence sets of values for Vulnerabilities
Problem to solve
severity
and confidence
both share the same list of values. This was fine and covering all our use cases until recently when trying to integrate Container Scanning and DAST results in the database.
We need to adapt our model to handle two different sets of values.
Target audience
Sam, the Security Analyst
Further details
Proposal
Move from this unique list:
LEVELS = {
undefined: 0,
ignore: 1,
unknown: 2,
experimental: 3,
low: 4,
medium: 5,
high: 6,
critical: 7
}
To two distinct lists:
SEVERITY_LEVELS = {
undefined: 0,
info: 1, # formerly named `ignore` and used by confidence.
unknown: 2,
# experimental: 3, # formerly used by confidence, useless now
low: 4,
medium: 5,
high: 6,
critical: 7
}
CONFIDENCE_LEVELS = {
undefined: 0,
ignore: 1,
unknown: 2,
experimental: 3,
low: 4,
medium: 5,
high: 6,
confirmed: 7 # formerly named `critical` and used by confidence.
}
The changes are:
- replace the previous common
ignore
level withinfo
level for severity. - disable the
experimental
level for severity - replace the previous common
critical
level withconfirmed
level for confidence
Luckily, we don't need to migrate existing data as we can map new values with existing ids and keep the ordering meaningful.
Tasks:
-
Update AR model enums (could be a good opportunity to move to rails5 enums) -
Update DAST parser methods #severity and #confidence with new values -
Update frontend to handle separate lists and add new values
What does success look like, and how can we measure that?
Severity and Confidence have independent sets of values and allow to integrate DAST reports.
Links / references
Edited by Tetiana Chupryna