Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate flaw impact and RH CVSSv3 score properly #890

Merged
merged 2 commits into from
Jan 24, 2025
Merged

Validate flaw impact and RH CVSSv3 score properly #890

merged 2 commits into from
Jan 24, 2025

Conversation

jobselko
Copy link
Contributor

@jobselko jobselko commented Jan 23, 2025
edited
Loading

This PR consolidates the flaw's impact and RH CVSSv3 score validations as they are currently inconsistent and incomplete.

If RH CVSSv3 is present, score and impact should comply with the following:

  • RH CVSSv3 score is not zero and flaw impact is set
  • RH CVSSv3 score is zero and flaw impact is not set

Closes OSIDB-3738

@jobselko jobselko self-assigned this Jan 23, 2025
@jobselko jobselko changed the title Fix impact rhcvssv3 validation Validate flaw impact and RH CVSSv3 score properly Jan 23, 2025
@jobselko jobselko marked this pull request as ready for review January 23, 2025 21:20
@jobselko jobselko requested a review from a team January 23, 2025 21:21
jobselko
jobselko commented Jan 23, 2025
View reviewed changes
osidb/tests/factories.py
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI, I chose not to modify FlawFactory to automatically create RH CVSSv3 if necessary, as this change would break many tests and fixing it would be difficult due to the non-deterministic nature of the tests.

osoukup
osoukup approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@osoukup osoukup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

apps/trackers/tests/test_jira.py Show resolved Hide resolved
@jobselko jobselko added this pull request to the merge queue Jan 24, 2025
Merged via the queue into master with commit f7d0a5b Jan 24, 2025
11 checks passed
@jobselko jobselko deleted the fix_impact_rhcvssv3_validation branch January 24, 2025 12:13
@jobselko jobselko mentioned this pull request Feb 12, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Feb 13, 2025
@jobselko
Remove flaw impact adjustment from NVD collector (#907)
ad1e220 
This PR fixes/removes the clumsy changes introduced in #825. These
changes (and some code around) are no longer needed because #890 changed
how the `FlawCVSS` model is validated. Instead of validating all CVSS
scores, only the RH CVSS3 score is validated. The NVD collector only
touches NIST CVSS scores, so no code adjustments are required.

Closes OSIDB-3678
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@osoukup osoukup osoukup approved these changes

Assignees

@jobselko jobselko

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jobselko @osoukup