Change from fail-on-result to fail-on-cvss #114
Comments
|
@seancorfield I had opened the issue and figured I would submit a PR with my proposed solution. I'm happy to discuss alternatives here. One obvious path would be to leave the current flag with its current all-or-nothing meaning and add the proposed new flag to allow for more granular failure conditions. |
|
I think we maybe need to look at #112 first? @lread or is that issue completely orthogonal to this one? I definitely don't want to break anyone's workflow that uses It does seem like if we had We could tell folks that this new option was the recommended approach and deprecate the older fail option (similar to our treatment of |
|
Could possibly name the new flag Then could add a validation check that both flags are not present and treat the current Whether #112 is orthogonal to this or not probably depends on how that one is solved. If the structure of the vulnerabilities remains the same and the different (CVSS2, CVSS3, CVSS4) values are somehow combined into the current shape, it's independent; if the response structure changes, it'd be best to wait to implement this change. |
That works, yes. We'll dig a bit more into #112 before finalizing an approach here. |
|
I had a peek at what DependencyCheck does here. They don't look at CVSS4 yet (they maybe should?) but if any base score from CVSS2 or CVSS3 is >= threshold, the "build" is failed. They also seem to compensate for missing scores... I had a peek at the h2 db and didn't see a need to do that, but I should take a 2nd look. An option would be to see if we can just call DependencyCheck's function here and let it decide. But... maybe best to do our own thing and include CVSS4 scores as well? |
|
You raising this issue is helpful, @coyotesqrl. Not only is it a good idea, but it is also helping me to better think about #112. So, thanks for that! |
|
Now I'm curious what the other change you would need is? |
|
I want to think of a couple proposed solutions before writing the issue, but so far have only come up with one. Basically, I want the DependencyCheck vulnerability scan to support using a |
|
Is the regular false positives XML file approach not sufficient for whitelisting CVEs? That's what we've used at work. |
|
Ooh. I think I just missed that completely. 🤦 That will probably work; I'll look into it tomorrow. |
|
AH! Now I know why I missed it. Maybe I'll write up some docs for #55 |
For dependency-check: Clj-watson now recognizes that multiple CVSS versions can be populated for a single CVE. We now: - to be cautious, choose the highest base score across all CVSS versions - include the CVSS version with the score For github-advisory: The github-advisory only contains a single CVSS entry. Clj-watson now extracts the CVSS revision from the CVSS "vectorString", when available. For reports: - `json` & `edn` - now include the CVSS `:version` under `:cvss` - `stdout` - now includes version after score: `CVSS: <score> (version <cvss version>)` - `sarif` - added `cvss` with its `score`, `version` and `severity` under `properties`, this duplicates existing the (unfortunately named) `security-severity` which also holds the `score` - reworded slightly awkward summary message, ex: - old: Vulnerability identified as CVE-2022-4244 of score 7.5 and severity HIGH found. - new: Vulnerability CVE-2022-4244 with a score of 7.5 and severity of HIGH found. Out of scope: This change does not include support for deriving a CVSS score when it missing. This will be handled when we need it for decision making, like in clj-holmes#114. Closes clj-holmes#112
* Review CVSS score handling & reporting For dependency-check: Clj-watson now recognizes that multiple CVSS versions can be populated for a single CVE. We now: - to be cautious, choose the highest base score across all CVSS versions - include the CVSS version with the score For github-advisory: The github-advisory only contains a single CVSS entry. Clj-watson now extracts the CVSS revision from the CVSS "vectorString", when available. For reports: - `json` & `edn` - now include the CVSS `:version` under `:cvss` - `stdout` - now includes version after score: `CVSS: <score> (version <cvss version>)` - `sarif` - added `cvss` with its `score`, `version` and `severity` under `properties`, this duplicates existing the (unfortunately named) `security-severity` which also holds the `score` - reworded slightly awkward summary message, ex: - old: Vulnerability identified as CVE-2022-4244 of score 7.5 and severity HIGH found. - new: Vulnerability CVE-2022-4244 with a score of 7.5 and severity of HIGH found. Out of scope: This change does not include support for deriving a CVSS score when it missing. This will be handled when we need it for decision making, like in #114. Closes #112 * docs: update changelog
|
This issue was raised from the perspective of dependency-check, but we also have our github-advisory strategy. The data returned by github advisory is sometimes incomplete. Dependency-check seems pretty complete today, but we don't know about tomorrow. For github-advisory, I've seen cases where we have the For missing data:
When clj-watson exits with 1 due to I was thinking that these derived scores would only be shown here. Watcha think? |
|
I personally think it's sufficient to include this as just a threshold report on cvss failure. It's extra data that doesn't seem to have a ton of value in the normal output report, but that would be very valuable in deciding whether something needed to be whitelisted, resolved, or removed. |
|
If no further discussion/analysis is needed on this issue, I'd be happy to move to a PR and get it into 6.1 -- since it sounds like this would allow @coyotesqrl to start using |
|
So, to recap:
|
|
Agree on all of the above. Thank you @lread ! |
|
One more point...might want to warn if both flags are passed. |
|
Ok, I'll take a crack at a PR. |
See README for general description. New option is mutually exclusive to `--fail-on-result`; if both are specified, clj-watson fails fast with usage error and help. Conservatively derives score when missing or suspicious looking. - When severity is available conservatively converts to score - Since we don't know if if score is CVSS2 or CVSS3/4 derives High and Critical to 10.0, Medium and Low are converted to upper bound of their ranges. - The experimental github-advisory strategy seems to regularly populate score with `0.0` but with a valid looking severity; we treat a score of 0.0 as suspicious. - I've not seen cases of invalid severities in the wild, but we handle them just the same, when we can't make sense of things we derive to the most critical score which is 10.0. Also: - factored out table support from cli-spec ns to new table ns to reuse it for summary table. - renamed summarize fn to final-summary to better distinguish from our new summary fn - a new utils ns for `assoc-some` fn (cribbed clj-kondo which cribbed from medley). Closes clj-holmes#114
See README for general description. New option is mutually exclusive to `--fail-on-result`; if both are specified, clj-watson fails fast with usage error and help. Conservatively derives score when missing or suspicious looking: - When severity is available, conservatively converts to score - Since we don't know if if score is CVSS2 or CVSS3/4 derives, High and Critical to 10.0, Medium and Low are converted to upper bound of their ranges. - The experimental github-advisory strategy seems to regularly populate score with `0.0` but with a valid looking severity; we treat a score of 0.0 as suspicious. - I've not seen cases of invalid severities in the wild, but we handle them just the same, when we can't make sense of things we derive to the most critical score which is 10.0. Also: - factored out table support from cli-spec ns to new table ns to reuse it for summary table. - renamed summarize fn to final-summary to better distinguish from our new summary fn - a new utils ns for `assoc-some` fn (cribbed clj-kondo which cribbed from medley). Closes clj-holmes#114
See README for general description. New option is mutually exclusive to `--fail-on-result`; if both are specified, clj-watson fails fast with usage error and help. Conservatively derives score when missing or suspicious looking: - When severity is available, conservatively converts to score - Since we don't know if if score is CVSS2 or CVSS3/4 derives, High and Critical to 10.0, Medium and Low are converted to upper bound of their ranges. - The experimental github-advisory strategy seems to regularly populate score with `0.0` but with a valid looking severity; we treat a score of 0.0 as suspicious. - I've not seen cases of invalid severities in the wild, but we handle them just the same, when we can't make sense of things we derive to the most critical score which is 10.0. Also: - factored out table support from cli-spec ns to new table ns to reuse it for summary table. - renamed summarize fn to final-summary to better distinguish from our new summary fn - a new utils ns for `assoc-some` fn (cribbed clj-kondo which cribbed from medley). Closes clj-holmes#114
The dependency-check Maven plugin has deprecated the
failBuildOnAnyVulnerabilityin favor of settingfailBuildOnCVSSto 0 for all vulnerabilities.This allows for greater flexibility and granularity, making CI adoption more attractive. For example, a team could opt to fail builds with any vulnerabilities with a CVSS > 6. This can help reduce churn a little, as lower-criticality issues can be addressed at more leisure.
The text was updated successfully, but these errors were encountered: