Add cvss methods to CvesIssue (!2653) · Merge requests · GitLab.org / release-tools

Steve Abrams requested to merge delivery19650-cvss-methods into master Sep 25, 2023

What does this MR do and why?

Adds two new methods to CvesIssue that use the cvss-suite gem. These values will be used in the security blog post generation similar to how they are used in security-release-tools.

Testing

The rspec tests are using a fixture that has a real vulnerability impact score: https://gitlab.com/gitlab-org/release-tools/-/blob/55ab09ad5adcf7819fa6e8cdb4e1ff62301f6352/spec/fixtures/cve_issue_description.md#L38. So the tests added in this MR prove that score is correctly parsed. This can be duplicated locally:

~/workspace/gitlab-org/release-tools (delivery19650-cvss-methods ✔) be pry --gem
16.5
[1] pry(main)> cvss_string = 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N'
=> "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"
[2] pry(main)> cvss = CvssSuite.new(cvss_string)
=> #<CvssSuite::Cvss31:0x0000000108fd0670
 @amount_of_properties=8,
 @base=....
[3] pry(main)> cvss.base_score
=> 7.6
[4] pry(main)> cvss.severity
=> "High"

Author Check-list

[-] Has documentation been updated?

Edited Sep 25, 2023 by Steve Abrams

Add cvss methods to CvesIssue

What does this MR do and why?

Testing

Author Check-list

Merge request reports