Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rules): Add CVSS 3.1/4 to high vulnerability in dependency rule #193

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

tsteenbe
Copy link
Member

@tsteenbe tsteenbe commented Jun 3, 2024

Prior to this change a package with a high severity vulnerability encoded in CVSS 3.1 or 4.0 would not trigger a policy rule violation.

This is a preparation for a sequential commit where CVSS:3.1 and CVS:4.0
comparator functions will be added.

Signed-off-by: Thomas Steenbergen <opensource@steenbe.nl>
@tsteenbe tsteenbe added the bug Something isn't working label Jun 3, 2024
@tsteenbe tsteenbe requested a review from a team as a code owner June 3, 2024 23:42
Prior to this change a package with a high severity vulnerability
encoded in CVSS 3.1 or 4.0 would not trigger a policy rule violation.

Signed-off-by: Thomas Steenbergen <opensource@steenbe.nl>
@tsteenbe tsteenbe force-pushed the fix-policy-rule-high-severity-vuln-in-dep branch from f5de453 to 869b512 Compare June 3, 2024 23:44
@@ -1546,10 +1546,16 @@ fun RuleSet.vulnerabilityWithHighSeverityInDependencyRule() = packageRule("HIGH_
-isProject()
-isExcluded()
+AnyOf(
hasVulnerability(maxAcceptedSeverity, "CVSS2") { value, threshold ->
hasVulnerability(maxAcceptedSeverity, "CVSS:2") { value, threshold ->
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that this would now disregard vulnerabilities that literally use "CVSS2" as the scoring system as we compare scoring systems by their strict string representation currently:

https://github.com/oss-review-toolkit/ort/blob/f560e02d555fd3b511d33b9d35cc4baa7de79ce8/evaluator/src/main/kotlin/PackageRule.kt#L98

Similar below. So this change likely has unwanted side effects.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll take a brief look at changing the hasVulnerability rule itself to address that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants