Add cvss methods to CvesIssue
What does this MR do and why?
Adds two new methods to CvesIssue
that use the cvss-suite gem. These values will be used in the security blog post generation similar to how they are used in security-release-tools.
Related to gitlab-com/gl-infra/delivery#19650 (closed)
Testing
The rspec tests are using a fixture that has a real vulnerability impact score: https://gitlab.com/gitlab-org/release-tools/-/blob/55ab09ad5adcf7819fa6e8cdb4e1ff62301f6352/spec/fixtures/cve_issue_description.md#L38. So the tests added in this MR prove that score is correctly parsed. This can be duplicated locally:
~/workspace/gitlab-org/release-tools (delivery19650-cvss-methods ✔) be pry --gem
16.5
[1] pry(main)> cvss_string = 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N'
=> "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:H/A:N"
[2] pry(main)> cvss = CvssSuite.new(cvss_string)
=> #<CvssSuite::Cvss31:0x0000000108fd0670
@amount_of_properties=8,
@base=....
[3] pry(main)> cvss.base_score
=> 7.6
[4] pry(main)> cvss.severity
=> "High"
Author Check-list
- [-] Has documentation been updated?
Edited by Steve Abrams