Fix CVSS vector display on vulnerability details
What does this MR do and why?
The cvss helper method tries to get the CVSS score through a
pm_advisories record, but this may not exist for all vulnerabilities
that have a cvss score. The cvss column should be used as the source
of truth for this information.
Considerations:
- Vulnerabilities created through security report ingestion may have CVSS vectors provided even if there is no advisory record or CVE associated with them.
- Vulnerabilities created by continuous vulnerability scanning are created from advisory records and these have the cvss data replicated to the vulnerability record, so it is more efficient to use the cvss column instead of querying the advisory anyway.
- Using hard-coded
cvss_v3data is not correct, as v2 or v4 vectors could also be present.
References
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
-
Find a vulnerability with CVSS data (most dependency scanning vulnerabilities should have some)
-
Delete the advisory record:
vuln = Vulnerability.find(id) PackageMetadata::Advisory.where(cve: vuln.cve_value).destroy_all -
Go to the details page for the vulnerability
Before: CVSS data is not shown. After: CVSS data is shown.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Brian Williams