Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VCIO-next: Create improver to detect issues #1699

Open
pombredanne opened this issue Dec 13, 2024 · 5 comments
Open

VCIO-next: Create improver to detect issues #1699

pombredanne opened this issue Dec 13, 2024 · 5 comments

Comments

@pombredanne
Copy link
Member

We have sometimes issues and conflicts in the data we collect. For instance, we may have related advisories that contain different affected package version ranges. Or may disagree on the severity of a vulnerability or else. This is also something

For this we should create new improver to detect issues: it could detect and report discrepancies and conflicts in related advisories for a CVE, and flag these. That would later be input to curate these issues.

@saransh1307
Copy link

can I work on this issue?

@pombredanne pombredanne added this to the v37.0.0 - 4-next milestone Dec 23, 2024
@pombredanne
Copy link
Member Author

@saransh1307 you sure can, but this is a fairly complex issue for a start.
May I suggest you check first some of the version issues in https://github.com/aboutcode-org/univers/issues?q=is%3Aissue+is%3Aopen+label%3A"good+first+issue" ... they are not always easy, but bite-size and much less complex.

@saransh1307
Copy link

Alright, @pombredanne, I'll focus on the suggested good first issues to build a solid understanding of the application. As I get more familiar with its structure and flow, I'll revisit this issue with a more informed perspective.

@keshav-space
Copy link
Member

@pombredanne this is the initial design I came up with, does this look good enough?

  1. Create the AdvisoryTODO model that contains:
  • issue_type
    • MISSING_AFFECTED_PACKAGE
    • MISSING_FIXED_BY_PACKAGE
    • MISSING_AFFECTED_AND_FIXED_PACKAGE
    • CONFLICTING_FIXED_BY_PACKAGE
    • CONFLICTING_AFFECTED_PACKAGE
    • CONFLICTING_SEVERITY
  • issue_detail
  • advisories ( One-to-Many relation to Advisory )
  • is_resolved
  1. Create pipeline that iterates over CVEs:
  • Get associated advisories
    • Check for missing affected or fixed packages
    • Check for conflicting affected or fixed packages
    • Check for conflicting severity scores
      (Create applicable todos)

@DennisClark
Copy link
Member

@keshav-space I would like to add to the list of issue_type values:

  • MISSING_SUMMARY

Thanks for working on this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Development

No branches or pull requests

4 participants