New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Display CVSS score in the component vulnerabilities tab #1948
Comments
@stevespringett: Would that be something you would accept a PR for? I came across this today twice again... |
Historically, we omitted CVSS since NPM Advisories refused to adopt CVSS and simply provided a severity label. So we had lots of systems that would never have had a CVSS score. NPM Advisories no longer exists and has been replaced by GitHub Advisories. I'm not sure if all those old NPM vulnerabilities have been updated with CVSS scores or not though. The point is that all vulnerabilities will have a severity, but not a CVSS score. For EPSS, this is limited to only vulnerabilities in the NVD. So GHSAs, GSDs, etc, will not have any EPSS info. For these reasons, we can accept a PR that adds these values to the table, but would prefer that the CVSS and EPSS values are hidden by default. To do this, set |
I was just wondering why the EPSS tab is seperate from the Audit Vulnerabilities tab. When assessing the EPSS it might be useful to be able to see the details (and audit actions) of the vulnerability. So my first thought is why not combine these views? Thinking out loud @stevespringett , would you accept a complimentary PR that adds the description and audit functionality of vulnerabilities to the Exploit Prediction tab? |
@valentijnscholten : I agree to some extend. I was also always confused to have for example the audit functionality not in the Exploit Prediction tab. But from my perspective I think those are two separate issues:
Thinking out loud: Both could be combined and the same combined view should be displayed in the Component and Project view. @stevespringett : Thanks, I not even notices the possibility to view/hide columns. I will follow your suggestion to have the columns hidden once this discussions here has a conclusion. |
Ah yes, sorry for hijacking you issue with a completely different screen. But at the same time it's a related question/suggestion :-) |
Make more information available on the component vulnerability tab with default visibility false. Fixes DependencyTrack/dependency-track#1948 Signed-off-by: awegg <alexander@weggerle.de>
commit 1eaefe5 Merge: ed43676 e5da956 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 28 10:43:27 2022 +0200 Merge pull request DependencyTrack#262 from DependencyTrack/dependabot/github_actions/actions/setup-node-3.5.0 commit ed43676 Merge: f3b6a0c d33ce07 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 28 10:39:06 2022 +0200 Merge pull request DependencyTrack#261 from DependencyTrack/dependabot/docker/docker/nginxinc/nginx-unprivileged-de9ed41 commit f3b6a0c Merge: df995f5 2196f55 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 28 10:38:07 2022 +0200 Merge pull request DependencyTrack#259 from awegg/1948_cvss_on_components commit e5da956 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Sep 28 01:37:44 2022 +0000 build(deps): bump actions/setup-node from 3.4.1 to 3.5.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.4.1 to 3.5.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v3.4.1...v3.5.0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit d33ce07 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue Sep 27 01:39:41 2022 +0000 build(deps): bump nginxinc/nginx-unprivileged in /docker Bumps nginxinc/nginx-unprivileged from `e916f63` to `de9ed41`. --- updated-dependencies: - dependency-name: nginxinc/nginx-unprivileged dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 2196f55 Author: awegg <alexander@weggerle.de> Date: Sun Sep 25 13:26:22 2022 +0200 Add CVSS, EPSS to Component Vulnerabilities Make more information available on the component vulnerability tab with default visibility false. Fixes DependencyTrack/dependency-track#1948 Signed-off-by: awegg <alexander@weggerle.de>
commit 80fa9d2 Merge: fe862fc 5944393 Author: Niklas <nscuro@protonmail.com> Date: Mon Oct 10 10:05:33 2022 +0200 Merge pull request DependencyTrack#273 from DependencyTrack/dependabot/github_actions/actions/checkout-3.1.0 build(deps): bump actions/checkout from 3.0.2 to 3.1.0 commit fe862fc Merge: ac99c3b 65bb03b Author: Niklas <nscuro@protonmail.com> Date: Mon Oct 10 10:04:53 2022 +0200 Merge pull request DependencyTrack#267 from DependencyTrack/dependabot/docker/docker/nginxinc/nginx-unprivileged-ff29830 build(deps): bump nginxinc/nginx-unprivileged from `de9ed41` to `ff29830` in /docker commit ac99c3b Merge: 1eaefe5 122ce55 Author: Niklas <nscuro@protonmail.com> Date: Sun Oct 9 15:06:31 2022 +0200 Merge pull request DependencyTrack#277 from nscuro/enable-new-vulnerable-dependency-group Re-enable NEW_VULNERABLE_DEPENDENCY notification commit 122ce55 Author: nscuro <nscuro@protonmail.com> Date: Sun Oct 9 14:47:44 2022 +0200 Re-enable NEW_VULNERABLE_DEPENDENCY notification DependencyTrack/dependency-track#1611 Signed-off-by: nscuro <nscuro@protonmail.com> commit 5944393 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Oct 5 02:04:08 2022 +0000 build(deps): bump actions/checkout from 3.0.2 to 3.1.0 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.0.2 to 3.1.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.0.2...v3.1.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit 65bb03b Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu Sep 29 01:42:55 2022 +0000 build(deps): bump nginxinc/nginx-unprivileged in /docker Bumps nginxinc/nginx-unprivileged from `de9ed41` to `ff29830`. --- updated-dependencies: - dependency-name: nginxinc/nginx-unprivileged dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 1eaefe5 Merge: ed43676 e5da956 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 28 10:43:27 2022 +0200 Merge pull request DependencyTrack#262 from DependencyTrack/dependabot/github_actions/actions/setup-node-3.5.0 commit ed43676 Merge: f3b6a0c d33ce07 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 28 10:39:06 2022 +0200 Merge pull request DependencyTrack#261 from DependencyTrack/dependabot/docker/docker/nginxinc/nginx-unprivileged-de9ed41 commit f3b6a0c Merge: df995f5 2196f55 Author: Niklas <nscuro@protonmail.com> Date: Wed Sep 28 10:38:07 2022 +0200 Merge pull request DependencyTrack#259 from awegg/1948_cvss_on_components commit e5da956 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed Sep 28 01:37:44 2022 +0000 build(deps): bump actions/setup-node from 3.4.1 to 3.5.0 Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3.4.1 to 3.5.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v3.4.1...v3.5.0) --- updated-dependencies: - dependency-name: actions/setup-node dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> commit d33ce07 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue Sep 27 01:39:41 2022 +0000 build(deps): bump nginxinc/nginx-unprivileged in /docker Bumps nginxinc/nginx-unprivileged from `e916f63` to `de9ed41`. --- updated-dependencies: - dependency-name: nginxinc/nginx-unprivileged dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> commit 2196f55 Author: awegg <alexander@weggerle.de> Date: Sun Sep 25 13:26:22 2022 +0200 Add CVSS, EPSS to Component Vulnerabilities Make more information available on the component vulnerability tab with default visibility false. Fixes DependencyTrack/dependency-track#1948 Signed-off-by: awegg <alexander@weggerle.de>
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Current Behavior:
Just CWE and Severity are listed on the component screen.
Proposed Behavior:
Show also the CVSS (and maybe EPSS + Percentil) on the component screen as done in the Exploit Predictions screen:
Motivation
We often discuss security issues rather by component than by the project and so we miss the concrete CVSS score here.
The text was updated successfully, but these errors were encountered: