Add a risk_score field and display the values in the UI #98

Signed-off-by: tdruez <[email protected]>

component_catalog/migrations/0010_component_risk_score_package_risk_score.py

@@ -0,0 +1,23 @@
+# Generated by Django 5.0.9 on 2024-11-08 13:24
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('component_catalog', '0009_componentaffectedbyvulnerability_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='component',
+            name='risk_score',
+            field=models.DecimalField(decimal_places=2, help_text='Risk score between 0.00 and 10.00, where higher values indicate greater vulnerability risk for the package.', max_digits=4, null=True),
+        ),
+        migrations.AddField(
+            model_name='package',
+            name='risk_score',
+            field=models.DecimalField(decimal_places=2, help_text='Risk score between 0.00 and 10.00, where higher values indicate greater vulnerability risk for the package.', max_digits=4, null=True),
+        ),
+    ]

component_catalog/templates/component_catalog/includes/risk_score_badge.html

@@ -0,0 +1,11 @@
+{% if risk_score %}
+  <span class="badge
+    {% if risk_score >= 8.0 %}bg-danger
+    {% elif risk_score >= 6.0 %}bg-warning-orange
+    {% elif risk_score >= 3.0 %}bg-warning
+    {% else %}bg-secondary
+    {% endif %}
+  ">
+    risk {{ risk_score }}
+  </span>
+{% endif %}

component_catalog/templates/component_catalog/tabs/tab_vulnerabilities.html

@@ -1,4 +1,14 @@
 {% load i18n %}
+<dl class="row mb-3">
+  <dt class="col-sm-1 text-end pt-2 pe-0">
+    <span class="help_text" data-bs-placement="right" data-bs-toggle="tooltip" data-bs-title="Risk score between 0.00 and 10.00, where higher values indicate greater vulnerability risk for the package.">
+      Risk score
+    </span>
+  </dt>
+  <dd class="col-sm-11">
+    <pre class="pre-bg-body-tertiary mb-1">{{ package.risk_score }}</pre>
+  </dd>
+</dl>
 <table class="table table-bordered table-hover table-md text-break">
   <thead>
     <tr>
@@ -12,11 +22,6 @@
           {% trans 'Aliases' %}
         </span>
       </th>
-      <th style="width: 90px;">
-        <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Severity score range.">
-          {% trans 'Score' %}
-        </span>
-      </th>
       <th>
         <span class="help_text" data-bs-toggle="tooltip" data-bs-placement="bottom" data-bs-title="Summary of the vulnerability.">
           {% trans 'Summary' %}
@@ -47,16 +52,6 @@
         <td>
            {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
         </td>
-        <td>
-          {% if vulnerability.min_score %}
-            {{ vulnerability.min_score }} -
-          {% endif %}
-          {% if vulnerability.max_score %}
-            <strong>
-              {{ vulnerability.max_score }}
-            </strong>
-          {% endif %}
-        </td>
         <td>
           {% if vulnerability.summary %}
             {% if vulnerability.summary|length > 120 %}

dejacode/static/css/dejacode_bootstrap.css

@@ -86,6 +86,9 @@ table.text-break thead {
   word-wrap: initial!important;
   word-break: initial!important;
 }
+.bg-warning-orange {
+  background-color: var(--bs-orange);
+}
 /* -- Dark there fixes -- */
 [data-bs-theme=dark] .btn-outline-dark {
   --bs-btn-color: var(--bs-tertiary-color);

product_portfolio/filters.py

@@ -118,6 +118,19 @@ class Meta:
         ]
 
 
+risk_score_ranges = {
+    "low": (0.1, 2.9),
+    "medium": (3.0, 5.9),
+    "high": (6.0, 7.9),
+    "critical": (8.0, 10.0),
+}
+
+RISK_SCORE_CHOICES = [
+    (key, f"{key.capitalize()} ({value[0]} - {value[1]})")
+    for key, value in risk_score_ranges.items()
+]
+
+
 class BaseProductRelationFilterSet(DataspacedFilterSet):
     is_deployed = BooleanChoiceFilter(
         empty_label="All (Inventory)",
@@ -130,9 +143,7 @@ class BaseProductRelationFilterSet(DataspacedFilterSet):
             right_align=True,
         ),
     )
-
     is_modified = BooleanChoiceFilter()
-
     object_type = django_filters.CharFilter(
         method="filter_object_type",
         widget=DropDownWidget(
@@ -145,6 +156,15 @@ class BaseProductRelationFilterSet(DataspacedFilterSet):
             ),
         ),
     )
+    risk_score = django_filters.ChoiceFilter(
+        label=_("Risk score"),
+        choices=RISK_SCORE_CHOICES,
+        method="filter_by_risk_score_range",
+        help_text="Select a score range to filter.",
+        widget=DropDownWidget(
+            anchor="#inventory", right_align=True
+        ),
+    )
 
     @staticmethod
     def filter_object_type(queryset, name, value):
@@ -163,6 +183,21 @@ def filter_object_type(queryset, name, value):
 
         return queryset.none()
 
+    def filter_by_risk_score_range(self, queryset, name, value):
+        if queryset.model is ProductPackage:
+            model_name = "package"
+        else:
+            model_name = "component"
+
+        if value in risk_score_ranges:
+            low, high = risk_score_ranges[value]
+            filters = {
+                f"{model_name}__risk_score__gte": low,
+                f"{model_name}__risk_score__lte": high,
+            }
+            return queryset.filter(**filters)
+        return queryset
+
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
 

product_portfolio/templates/product_portfolio/tabs/tab_inventory.html

@@ -40,7 +40,7 @@
         {{ filter_productcomponent.form.object_type }}
         <button class="btn btn-xs btn-outline-dark ms-2 toggle-details" data-bs-toggle="tooltip" data-bs-trigger="hover" title="{% trans 'Show/hide details' %}"><i class="fas fa-plus"></i>/<i class="fas fa-minus"></i></button>
         {% if product.dataspace.enable_vulnerablecodedb_access %}
-          <div class="float-end">
+          <span class="ms-2">
             {{ filter_productcomponent.form.is_vulnerable }}
           </div>
         {% endif %}
@@ -53,7 +53,7 @@
         {% trans 'Concluded license' %}
       </th>
       <th style="width: 140px;">
-        {% trans 'Review status' %}
+        {% trans 'Compliance status' %}
         {{ filter_productcomponent.form.review_status }}
       </th>
       <th style="width: 106px;">
@@ -64,6 +64,12 @@
         {% trans 'Modified' %}
         {{ filter_productcomponent.form.is_modified }}
       </th>
+      {% if product.dataspace.enable_vulnerablecodedb_access %}
+        <th style="width: 75;">
+          {% trans 'Risk' %}
+          {{ filter_productcomponent.form.risk_score }}
+        </th>
+      {% endif %}
     </tr>
   </thead>
   <tbody>
@@ -113,6 +119,13 @@
           <td>{{ relation.review_status|default_if_none:'' }}</td>
           <td class="text-center">{{ relation.is_deployed|as_icon }}</td>
           <td class="text-center">{{ relation.is_modified|as_icon }}</td>
+          {% if product.dataspace.enable_vulnerablecodedb_access %}
+            <td>
+              {% if relation.related_component_or_package.vulnerability_count %}
+                {% include 'component_catalog/includes/risk_score_badge.html' with risk_score=relation.related_component_or_package.risk_score only %}
+              {% endif %}
+            </td>
+          {% endif %}
         </tr>
         {% if relation.package and display_scan_features %}
           <tr class="{{ rowcolors }} extra-details">

product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html

@@ -20,16 +20,6 @@
         <td>
            {% include 'component_catalog/includes/vulnerability_aliases.html' with aliases=vulnerability.aliases only %}
         </td>
-        <td>
-          {% if vulnerability.min_score %}
-            {{ vulnerability.min_score }} -
-          {% endif %}
-          {% if vulnerability.max_score %}
-            <strong>
-              {{ vulnerability.max_score }}
-            </strong>
-          {% endif %}
-        </td>
         <td>
           {% if vulnerability.summary %}
             {% if vulnerability.summary|length > 120 %}
@@ -47,6 +37,9 @@
             {% for package in vulnerability.affected_packages.all %}
               <li>
                 <a href="{{ package.get_absolute_url }}#vulnerabilities" target="_blank">{{ package }}</a>
+                {% if package.risk_score %}
+                  {% include 'component_catalog/includes/risk_score_badge.html' with risk_score=package.risk_score only %}
+                {% endif %}
               </li>
             {% endfor %}
           </ul>

product_portfolio/views.py

@@ -1097,7 +1097,7 @@ class ProductTabVulnerabilitiesView(
     table_headers = (
         Header("vulnerability_id", _("Vulnerability")),
         Header("aliases", _("Aliases")),
-        Header("max_score", _("Score"), help_text="Severity score range", filter="max_score"),
+        # Header("max_score", _("Score"), help_text="Severity score range", filter="max_score"),
         Header("summary", _("Summary")),
         Header("affected_packages", _("Affected packages"), help_text="Affected product packages"),
     )

vulnerabilities/models.py

@@ -378,6 +378,16 @@ class AffectedByVulnerabilityMixin(models.Model):
         related_name="affected_%(class)ss",
         help_text=_("Vulnerabilities affecting this object."),
     )
+    # Based on vulnerablecode.vulnerabilities.models.Package
+    risk_score = models.DecimalField(
+        null=True,
+        max_digits=4,
+        decimal_places=2,
+        help_text=_(
+            "Risk score between 0.00 and 10.00, where higher values "
+            "indicate greater vulnerability risk for the package."
+        ),
+    )
 
     class Meta:
         abstract = True