Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(rules): Add CVSS 3.1/4 to high vulnerability in dependency rule #193

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

feat(rules): Add CVSS 3.1/4 to high vulnerability in dependency rule #193

wants to merge 2 commits into from

Conversation

tsteenbe
Copy link
Member

@tsteenbe tsteenbe commented Jun 3, 2024

Prior to this change a package with a high severity vulnerability encoded in CVSS 3.1 or 4.0 would not trigger a policy rule violation.

@tsteenbe
style(rules): Use colons in CVSS score strings
5f98c28 
This is a preparation for a sequential commit where CVSS:3.1 and CVS:4.0
comparator functions will be added.

Signed-off-by: Thomas Steenbergen <opensource@steenbe.nl>
@tsteenbe tsteenbe added the bug Something isn't working label Jun 3, 2024
@tsteenbe tsteenbe requested a review from a team as a code owner June 3, 2024 23:42
@tsteenbe
feat(rules): Add CVSS 3.1/4 to high severity vuln rule
869b512 
Prior to this change a package with a high severity vulnerability
encoded in CVSS 3.1 or 4.0 would not trigger a policy rule violation.

Signed-off-by: Thomas Steenbergen <opensource@steenbe.nl>
@tsteenbe tsteenbe force-pushed the fix-policy-rule-high-severity-vuln-in-dep branch from f5de453 to 869b512 Compare June 3, 2024 23:44
sschuberth
sschuberth reviewed Jun 4, 2024
View reviewed changes
evaluator.rules.kts
@@ -1546,10 +1546,16 @@ fun RuleSet.vulnerabilityWithHighSeverityInDependencyRule() = packageRule("HIGH_
-isProject()
-isExcluded()
+AnyOf(
hasVulnerability(maxAcceptedSeverity, "CVSS2") { value, threshold ->
hasVulnerability(maxAcceptedSeverity, "CVSS:2") { value, threshold ->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this would now disregard vulnerabilities that literally use "CVSS2" as the scoring system as we compare scoring systems by their strict string representation currently:

https://github.com/oss-review-toolkit/ort/blob/f560e02d555fd3b511d33b9d35cc4baa7de79ce8/evaluator/src/main/kotlin/PackageRule.kt#L98

Similar below. So this change likely has unwanted side effects.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take a brief look at changing the hasVulnerability rule itself to address that.

@sschuberth sschuberth mentioned this pull request Jul 15, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sschuberth sschuberth sschuberth left review comments

At least 0 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tsteenbe @sschuberth