Add support for vulnerability data to entities model #6875
Conversation
xavierdecoster
requested review from
joelverhagen,
shishirx34,
skofman1 and
scottbommarito
|
Does this really have to be part of the gallery database? A smell to me is that the relationship between a package deprecation and a CVE/CWE is not modeled in the standard way, i.e. a many-to-many relationship with a |
There was a problem hiding this comment.
A couple comments. Looks great though!
Please keep this as a separate migration from the initial one--we're deploying the other migration this week (although you can't create any deprecation entities) so we'll need to be able to apply this migration on top of it.
|
|
||
| modelBuilder.Entity<PackageDeprecation>() | ||
| .HasMany(p => p.CVEs) | ||
| .WithMany(c => c.PackageDeprecations); |
There was a problem hiding this comment.
Have we verified that when
- a
PackageDeprecationis deleted, it deletes the corresponding rows in thePackageDeprecationCVE/PackageDeprecationCWEs tables? - a
CVE/CWEis deleted, it deletes the corresponding rows in thePackageDeprecationCVE/PackageDeprecationCWEs tables?
Or is this not the behavior we want to have?
There was a problem hiding this comment.
This is a key insight.
This is quite important because we need to understand what to do when a CVE/CWE is not longer present in the data source or if some "delete" signal is presented to us. I think the easiest approach is to mandate that CVE/CWEs are never deleted. If this is already the case in the data source, then we're fine. Otherwise, we need to verify that it's okay for us to keep a deleted CVE/CWE in our database forever.
There was a problem hiding this comment.
I think we can assume these ID's are never hard-deleted, although I couldn't find an official statement on that.
In general, MITRE will maintain CWE as long as it serves the community to do so.
As for CVE IDs, these will be marked with a "reject" state and the "description" field will be labeled as such in the data source, according to this source.
There was a problem hiding this comment.
Verified delete behavior:
- when deleting a
PackageDeprecation, it properly deletes the corresponding rows in thePackageDeprecationCweandPackageDeprecationCvetables, but doesn't delete theCWEorCVErecord. - when deleting a
CVEorCWE, it properly deletes the corresponding rows in thePackageDeprecationCweandPackageDeprecationCvetables, but doesn't delete thePackageDeprecationrecord.
However, we should never delete CVE or CWE records (adding a Status column to those entities for when a CVE/CWE gets rejected after publication, so we can filter them out).
|
To be clear, I am not against this stuff being in the gallery DB, but I wanted to make sure we evaluated other options like an independent database+service or another storage mechanism like Azure Search or in-memory JSON. |
|
@joelverhagen - with this PR we are now modeling "deprecation to CVE/CWE" in a proper many-to-many relationship table and no longer a JSON array. I agree that we should make sure we do our due diligence in investigating all options, but I think it's a huge benefit to this approach that it allows our gallery database to store proper relationships instead of JSON. |
|
@scottbommarito, oops, sorry I missed that part. I think think we should understand whether it is necessary to couple CVE/CWE data with gallery data. A JSON array would be appropriate if you want to refer to data in another system (potentially backed by another SQL database). Remember we put validation data in its own database. The idea there was that there is some state about validation that gallery will never care about. In the CVE/CWE case, another database would allow us to scale independently and keep details like ingestion state/etags/timestamps/throttles in tables that have nothing to do with gallery DB. Again, I don't feel strongly but we should give all of these a approaches an honest consideration properly weighting maintenance costs of another DB with the benefit of decoupling unrelated data. |
|
For CVEs, I added a Boolean column I noticed CWEs may have a varying status in the source data as well. Looking at the StatusEnumeration spec, it’s a bit unclear whether we should reduce the dataset or not… From usability point of view, we simply need to be able to hide the CVE/CWE items that are unpublished, without deleting potentially existing references to Any thoughts? @scottbommarito @skofman1 @anangaur @joelverhagen @loic-sharma |
Perhaps we can just have a |
|
@joelverhagen that's exactly what I'm aiming for! I could name them both |
|
@joelverhagen - I think whether or not I think regardless of this, we should store all information that would help us determine whether or not the CVE/CWE is relevant, e.g. |
|
@scottbommarito the data update process for CWE requires us to fetch the entire data set every time anyway... (a CSV file download), so if Status changed, it will be processed (and if visibility logic needs changing, the job can be updated, and it will then be processed on the next iteration). For CVE, there's a No matter what changes to status or visibility, if the initial import considered the data as relevant at that time, it's going to remain relevant forever (only soft-deletes allowed - aka unlisting). |
|
@xavierdecoster - perfect. |
|
Almost there. May need to track CVSS scores provided with CVE data. Once confirmed, I'll add the property and update the migration, and merge this PR. |
No description provided.