Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add missing OSV schema fields to vulnerability page #2132

Merged
merged 11 commits into from
May 23, 2024
Merged

Add missing OSV schema fields to vulnerability page #2132

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
a909518
Fix the indentation
zahraaalizadeh Apr 23, 2024
b88f6d7
Display purl info on the vulnerability page
zahraaalizadeh Apr 23, 2024
040c81c
Add severity details to the vulnerability page
zahraaalizadeh Apr 23, 2024
c56092e
Add the credits info to the vulnerability page
zahraaalizadeh Apr 23, 2024
d27dfd7
Remove duplicated if statement
zahraaalizadeh May 14, 2024
855e39b
Expose severity per affected if any
zahraaalizadeh May 14, 2024
4f2c775
Fix the link to affected database specific
zahraaalizadeh May 14, 2024
40c7572
Expose affected range database specific info
zahraaalizadeh May 15, 2024
2fcd956
Add a space before dash for credit
zahraaalizadeh May 17, 2024
a7afa62
Add missing space
zahraaalizadeh May 17, 2024
db8349b
Make the rendering of severity consistent
zahraaalizadeh May 17, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
35 changes: 33 additions & 2 deletions gcp/appengine/frontend3/src/styles.scss
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -687,23 +687,49 @@ dl.vulnerability-details,
}
}


dd.credits {
ul {
padding: 0;
}

li.credit {
margin: 0 0 10px 0;
}

.contact li {
margin: 5px 40px 10px 0;
display: inline-flex;
flex-direction: row;
overflow-wrap: break-word;
}
}

pre {
white-space: pre-wrap;
overflow: auto;
}


.purl {
font-family: $osv-heading-font-family;
}

.links {
padding: 0;
display: flex;
flex-direction: column;
gap: 10px;
overflow-wrap: break-word;
margin-bottom: 20px;
}

.aliases {
padding: 0;
}

.severity {
padding: 0;
font-family: $osv-heading-font-family;
}
}

.vulnerability-packages-container {
Expand Down Expand Up @@ -865,6 +891,11 @@ dl.vulnerability-details,
padding: 14px 0;
border-bottom: 1px dashed #fff;
}

.severity {
padding: 0;
font-family: $osv-heading-font-family;
}
}

/** Home page */
Expand Down
150 changes: 104 additions & 46 deletions gcp/appengine/frontend3/src/templates/vulnerability.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,16 @@ <h1 class="title">{{ vulnerability.id }}</h1>
<dd>{{ vulnerability.published }}</dd>
<dt>Modified</dt>
<dd>{{ vulnerability.modified }}</dd>
{%- if vulnerability.severity -%}
<dt>Severity</dt>
<dd>
<ul class="severity">
{% for item in vulnerability.severity -%}
<li>{{ item.type }} - {{ item.score }}</li>
oliverchang marked this conversation as resolved.
Show resolved Hide resolved
{% endfor -%}
</ul>
</dd>
{%- endif -%}
<dt class="summary">Summary</dt>
<dd class="summary {% if not vulnerability.summary %}muted{% endif %}">
{% if vulnerability.summary %}
Expand All @@ -82,6 +92,29 @@ <h1 class="title">{{ vulnerability.id }}</h1>
{% endfor -%}
</ul>
</dd>
{% if vulnerability.credits -%}
oliverchang marked this conversation as resolved.
Show resolved Hide resolved
<dt class="credits">Credits</dt>
<dd class="credits">
<ul>
{% for credit in vulnerability.credits -%}
<li class="credit">
<ul>
<li>{{ credit.name }}{% if 'type' in credit %} - {{ credit.type }}{% endif %}</li>
{%- if 'contact' in credit -%}
<li>
<ul class="contact">
{%- for item in credit.contact -%}
<li><a href="{{ item }}" target="_blank" rel="noopener noreferrer">{{ item }}</a></li>
oliverchang marked this conversation as resolved.
Show resolved Hide resolved
{%- endfor -%}
</ul>
</li>
{%- endif -%}
</ul>
</li>
{% endfor -%}
</ul>
</dd>
{% endif %}
</dl>
</div>
</div>
Expand Down Expand Up @@ -113,19 +146,35 @@ <h3 class="mdc-layout-grid__cell--span-3">
</h3>
<div class="mdc-layout-grid__cell--span-9">
<dl>
{%- if 'package' in affected -%}
<dt>Name</dt>
{%- if affected.package | package_in_ecosystem -%}
<dd><a href="{{ affected.package | package_in_ecosystem }}" target="_blank" rel="noopener noreferrer">{{
affected.package.name }}</a></dd>
{%- else -%}
<dd>{{ affected.package.name }}</dd>
{%- endif -%}
{%- if 'purl' in affected.package -%}
<dt>Purl</dt>
<dd class="purl">{{ affected.package.purl }}</dd>
{%- endif -%}
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also a per-affected severity field: https://ossf.github.io/osv-schema/#affectedseverity-field

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a commit for it c645c99

You might verify it via: BIT-mediawiki-2020-27621

sample output:

Screenshot 2024-05-15 at 9 18 49 AM

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rendering of this is different from the rendering for the top level severity (e.g. on GHSA-76v2-48w6-crxr). Can we make this the same as the top level rendering?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

update in 212c8f1

sample output:
Screenshot 2024-05-17 at 4 02 35 PM

</dl>
</div>
</div>
{%- endif -%}
{%- if 'severity' in affected -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Severity
</h3>
<div class="mdc-layout-grid__cell--span-9">
<ul class="severity">
{% for item in affected.severity -%}
<li>{{ item.type }} - {{ item.score }}</li>
{% endfor -%}
</ul>
</div>
</div>
{%- endif -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Affected ranges
Expand Down Expand Up @@ -169,59 +218,68 @@ <h3 class="mdc-layout-grid__cell--span-3">
{% endfor -%}
</div>
</dd>

{%- if range.database_specific -%}
<dt>
Database specific
<a href="https://ossf.github.io/osv-schema/#affectedrangesdatabase_specific-field" target="_blank"
rel="noopener noreferrer"></a>
</dt>
<dd><pre class="specific">{{ range.database_specific | display_json }}</pre></dd>
{%- endif -%}
</dl>
{% endfor -%}
</div>
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We also have per-range ecosystem/database_specific: https://ossf.github.io/osv-schema/#affectedecosystem_specific-field

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To clarify, in total there's 3 variations here:

  • affected[].ranges[].database_specific
  • affected[].database_specific field
  • affected[].ecosystem_specific field

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a commit to expose it: 47f2185

Also looking at the data models, I reckon currently this data is not recorded on the Bug model:

osv.dev/osv/models.py

Lines 185 to 194 in 47f2185

class AffectedRange2(ndb.Model):
"""Affected range."""
# Type of range.
type = ndb.StringProperty(validator=_check_valid_range_type)
# Repo URL.
repo_url = ndb.StringProperty()
# Events.
events = ndb.LocalStructuredProperty(AffectedEvent, repeated=True)

(Please correct me if I'm missing something.)

It might be worth mentioning, I couldn't find any bug that include database_specific on their ranges though.

sample output:

Screenshot 2024-05-15 at 12 54 52 PM

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@oliverchang - FYI added ecae833 to render the on the fly database_specific data too.

</div>
</div>
{% if affected.versions -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Affected versions
<a href="https://ossf.github.io/osv-schema/#affectedversions-field" target="_blank"
rel="noopener noreferrer"></a>
</h3>
<div class="mdc-layout-grid__cell--span-9 version-value">
{% for group, versions in (affected.versions|group_versions(ecosystem)).items() -%}
<spicy-sections class="versions-section">
<h2 class="version-header">{{ group }}</h2>
<div class="versions {% if not loop.last %}versions-separator{% endif %}">
{% for version in versions -%}
<div class="version">{{ version }}</div>
{% endfor -%}
</div>
</spicy-sections>
{% endfor -%}
{% if affected.versions -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Affected versions
<a href="https://ossf.github.io/osv-schema/#affectedversions-field" target="_blank"
rel="noopener noreferrer"></a>
</h3>
<div class="mdc-layout-grid__cell--span-9 version-value">
{% for group, versions in (affected.versions|group_versions(ecosystem)).items() -%}
<spicy-sections class="versions-section">
<h2 class="version-header">{{ group }}</h2>
<div class="versions {% if not loop.last %}versions-separator{% endif %}">
{% for version in versions -%}
<div class="version">{{ version }}</div>
{% endfor -%}
</div>
</spicy-sections>
{% endfor -%}
</div>
</div>
</div>
{% endif -%}
{% if affected.ecosystem_specific -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Ecosystem specific
<a href="https://ossf.github.io/osv-schema/#affectedecosystem_specific-field" target="_blank"
rel="noopener noreferrer"></a>
</h3>
<div class="mdc-layout-grid__cell--span-9">
<pre class="specific">{{ affected.ecosystem_specific | display_json }}</pre>
{% endif -%}
{% if affected.ecosystem_specific -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Ecosystem specific
<a href="https://ossf.github.io/osv-schema/#affectedecosystem_specific-field" target="_blank"
rel="noopener noreferrer"></a>
</h3>
<div class="mdc-layout-grid__cell--span-9">
<pre class="specific">{{ affected.ecosystem_specific | display_json }}</pre>
</div>
</div>
</div>
{% endif -%}
{% if affected.database_specific -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Database specific
<a href="https://ossf.github.io/osv-schema/#affectedrangesdatabase_specific-field" target="_blank"
rel="noopener noreferrer"></a>
</h3>
<div class="mdc-layout-grid__cell--span-9">
<pre class="specific">{{ affected.database_specific | display_json }}</pre>
{% endif -%}
{% if affected.database_specific -%}
<div class="vulnerability-package-subsection mdc-layout-grid__inner">
<h3 class="mdc-layout-grid__cell--span-3">
Database specific
<a href="https://ossf.github.io/osv-schema/#affecteddatabase_specific-field" target="_blank"
rel="noopener noreferrer"></a>
</h3>
<div class="mdc-layout-grid__cell--span-9">
<pre class="specific">{{ affected.database_specific | display_json }}</pre>
</div>
</div>
{% endif -%}
</div>
{% endif -%}
{% endfor -%}
</spicy-sections>
</div>
{% endfor -%}
</spicy-sections>
</div>
</div>
<turbo-stream action="update" target="title">
<template>
Expand Down