Skip to content

Add CVSS data to vulnerabilities GraphQL API

Brian Williams requested to merge bwill/add-cvss-to-api into master

What does this MR do and why?

We currently store CVSS information in the DB but only expose it via the vulnerability export. This change exposes the CVSS information via VulnerabilityType in GraphQL. In addition to exposing the vector, we also expose computed values for each vector string, including the CVSS version, base score, overall score, and severity.

What is CVSS?

CVSS stands for Common Vulnerability Scoring System. This system provides a set of parameters (called metrics) which can be used to assign a severity rating to a vulnerability. The fields being added in this MR are common concepts in CVSS. To help reviewers who are unfamiliar with the domain, here are some definitions.

  • Vector: A string representation of the CVSS score. It contains the CVSS version and all of the metrics in a key-value format.
  • Version: The CVSS specification version. Common values are 2.0, 3.0, and 3.1. CVSS 4.0 is recently released and does not yet have widespread adoption.
  • Base Score: The score when calculated using the base metrics. Other metrics are specific to each organization's environment and security controls. Thus, the vast majority of vectors will only have base metrics. The formula for calculating the score is different depending on the CVSS version.
  • Overall Score: The score calculated from all metrics. Since most vectors will only have base metrics, this is usually equal to the base score. We are exposing it here because it is used to determine the severity.
  • Severity: A logical severity rating for the vulnerability (Low, Medium, High, Critical) which is determined based on the overall score. The mapping for score -> severity is different depending on the CVSS version.

Since these are industry concepts which have definitions outside of GitLab, and the details change depending on the CVSS version being used, the documentation for these fields is intentionally brief.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Screenshot_2024-02-05_at_9.32.31_AM

How to set up and validate locally

Numbered steps to set up and validate the change are strongly suggested.

  1. Find a vulnerability with CVSS data. This can be done by running dependency scanning on a project.

    Vulnerability.where("cvss != '[]'").first

  2. Copy the ID of the vulnerability

  3. Log in and go to <GDK_URL>/-/graphql-explorer

  4. Send this graphql query with your vulnerability ID:

    {
  vulnerability(id: "gid://gitlab/Vulnerability/YOUR_VULNERABILITY_ID") {
    id
    uuid
    description
    cvss {
      vector
      vendor
      version
      baseScore
      overallScore
      severity
    }
  }
}
Edited by Brian Williams

Merge request reports