Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve the details provided by the "Severities vectors" tab in VCIO "Vulnerability details" #1672

Open
DennisClark opened this issue Nov 19, 2024 · 1 comment
Open

Improve the details provided by the "Severities vectors" tab in VCIO "Vulnerability details" #1672

DennisClark opened this issue Nov 19, 2024 · 1 comment
Assignees
@pombredanne @DennisClark @TG1999
Labels
3-next difficulty: intermediate Priority: high ui
Milestone
v36.0.0 - 3-next

Comments

@DennisClark
Copy link
Member

DennisClark commented Nov 19, 2024
edited
Loading

First, a quick and simple one: please change the tab label from "Severities vectors" to "Severity metrics".

Objective: Make the various scores more useful by providing information about their origin, and reinforcing the scores that we display on the "essentials" tab.

The various details can be greatly improved by providing and displaying, for each severity:

  • origin name
  • (optionally) origin URL if available.
  • the CVSS numeric score

Provide these details in the v2 API.

We should consider and discuss whether we would like to expose the Weight assigned to each origin, which might be useful (but alternatively might be confusing or distracting). A benefit could be to support the value that we provide as Weighted Severity on the Essentials tab.
@mjherzog
Copy link
Member

mjherzog commented Dec 4, 2024

The title should be Severity Metrics not Severities Vectors - see the Spec at: https://www.first.org/cvss/v3.1/specification-document. Only one of the metrics has vector in the name.

Also using VCID=63q1-581t-aaag as an example:

  • We have 29 Severities vectors entries which are almost all duplicate CVS:3.1 scores likely copied from the original CVE entry. Impossible to tell since none have any clue about data origin.
  • These appear to be related to the 29 entries in the Essentials/Severity table where the System is some version of CVSS.
  • The current display makes it practically impossible to visually identify differences if there are any. I do not see the value of showing the Vector values that do not apply grayed-out so we should just show the values that apply. This would greatly simplify the display.
  • It would be nice to have some more tabular format with the metrics as rows and the origin/ref as the columns (mockup attached). This would probably require a different screen for each CVSS version but that is probably a good idea in any case. This might require horizontal scrolling in some cases, but it would be a big improvement over the current display
  • In the Severity list we have RedHat entries coded as "rhas" in the System field - should this be "rhsa"?Also per https://access.redhat.com/security/updates/classification#normal, Red Hat uses CVSS:3.1 since 2016 so perhaps that should be the label instead.
    Severity-Metrics-table.pdf

@DennisClark DennisClark added this to the v36.0.0 - 3-next milestone Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pombredanne pombredanne

@DennisClark DennisClark

@TG1999 TG1999

Labels
3-next difficulty: intermediate Priority: high ui
Projects
03-CRAVEX
Status: No status
Milestone
v36.0.0 - 3-next
Development

No branches or pull requests
4 participants
@pombredanne @mjherzog @DennisClark @TG1999