-
-
Notifications
You must be signed in to change notification settings - Fork 580
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Global Audit View: Vulnerabilities #2472
Global Audit View: Vulnerabilities #2472
Conversation
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Outdated
Show resolved
Hide resolved
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Show resolved
Hide resolved
I tried it, but whatever I put in the filters on the left, or Clear All, I always get No Matching records found. |
Thats strange since I tested it too.. you have projects with vulnerabilities and your account also has permissions to audit vulnerabilities on these projects? |
I am logged in as My main usecase for this view is to see the most recently found vulnerabilities and the projects that are affected. So even without permissions to audit vulnerabilities, it would be useful to be able to use this view. EDIT: Hmm all projects have disappeared, let me check what's going on. |
Ah yes, my mistake, as Richard mentioned in the PR description: VIEW_VULNERABILITY is enough and should fit your use case.
That sounds like the reason then |
Yeah, projects are back and I can see vulnerabilities. But the initial page load takes a very long time. The download size is over 14MB for that xhr call. |
Damn. That sounds a bit too much. We don't by chance have some huge example BOMs prepared that could be shared for contributors to test changes on larger databases? Our test setup is too small it seems :D |
I have ~200 projects and ~6000 vulnerabilities. Might be that that big join without pagina is slow, or that DataNucleus performs a couple of extra queries on each finding to get missing data. Here's a link a 22MB BOM with 9k components: #1905 (comment) |
That big JOIN might take some time - but the result is still only 25 (or whatever you configured) entries, which should even for 100 rows not be 14MB |
@rkg-mm are you able to fix/address the sonatype bugs that were identified? |
This PR is now updated to include the following changes:
Please check this updated feature out again and leave your feedback! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR, and addressing all comments so far @rbt-mm and @rkg-mm!
A few additional comments from my side regarding the implementation.
As for the feature itself, it certainly makes sense to me. However, especially for reporting, requirements and desired features can vary quite a bit between organizations. Before we ship this feature, I'd really love more community input. I posted a request for it in our Slack channel: https://owasp.slack.com/archives/C6R3R32H4/p1692563653439049
We discussed this feature in our last DT maintainers meeting, and we decided to not include it in the upcoming 4.9 release. For that, we're mostly waiting for a few small blockers to unblock (e.g. #2850), but otherwise we want to get that release shipped ASAP.
As mentioned earlier, we believe that this feature needs more eyes on it, and also more testing. The aim would be to get it merged as soon as 4.9 is out of the door. We're aware of the resource constraints on your side, but given the current state and quality of the code in this PR (props to @rbt-mm!), we're optimistic that we can finish the work ourselves if required.
src/main/java/org/dependencytrack/persistence/FindingsSearchQueryManager.java
Outdated
Show resolved
Hide resolved
Thanks for the Feedback, OK let's wait for community input here |
For folks willing to test this, I pushed container images to Docker Hub:
|
thanks for this feature @rbt-mm and @rkg-mm !! I 💟 where this is going and would see this being extremely useful! Most of my questions below i made as a "code" formatting for ease of finding. I see the business need especially for PSIRT and CISO organizations. One thing that dawned on me as I was experimenting with the new dashboard is My DT is still syncing with nvd etc, so i think it may still be processing in the background to populate the dashboard/metrics. If after its done, I still see broken summaries we may want to revisit the code to see where it might need to be tweaked. When i go to the new dashboard, i'm a bit confused by the occurances vs groups. Thanks @nscuro for publishing a snapshot of this feature! Was fun playing with it and excited for its future release 😄 |
@melba-lopez I think the missing vulnerabilties are due to the issue nscuro pointed out already, basically this: #2474 we probably need to change that behaviour in parallel to make the filtering work correct, but that seems to be a smaller change to me. Regarding the rollup: Am explanation for the views could surely be added @rbt-mm. Maybe we can put something like an info icon the tab-header, or as a mouseover to it? Otherwise an info icon somewhere in the top of the tab. |
Thanks @rkg-mm, I will have a look shortly. |
@nscuro Can you add this to 4.11 milestone? |
Adds two new API methods to the FindingResource, which return a filtered list (ACL and optional other filters) of every finding, either by occurrence or grouped by vulnerability, to allow users to quickly get every finding for all of their projects. Signed-off-by: RBickert <[email protected]>
Adds test for the new class `GroupedFinding` and for the new methods in the `FindingResource`. Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Calculate severity if NULL in database Adjust tests Signed-off-by: RBickert <[email protected]>
Integrates server side pagination and ordering in FindingsSearchQueryManager to reduce the Frontend traffic by only sending the necessary data Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
Adds filters and sorting for CVSSv2 to the FindingsSearchQueryManager to use it in the Vulnerability Audit in the Frontend Signed-off-by: RBickert <[email protected]>
Fixes duplicate entries of the same finding appearing for every team membership of the user Signed-off-by: RBickert <[email protected]>
Signed-off-by: RBickert <[email protected]>
7c8792a
to
506b0dc
Compare
Signed-off-by: RBickert <[email protected]>
@nscuro should be fine now |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Description
This PR introduces introduces new API endpoints in the
FindingResource
of the backend. These two new endpoints filter every finding by ACLs and other optional filters and then returns them , either by occurrence of vulnerability or grouped by vulnerability.Those endpoints are used in a new view, which is introduced in the Frontend PR, and grant a simple way of gathering all findings in one place and filtering/sorting them by different criteria.
Addressed Issue
#1770
Additional Details
VIEW_VULNERABILITY
permissionA PR for a policy violations audit will soon follow!
Checklist
- [ ] This PR fixes a defect, and I have provided tests to verify that the fix is effective- [ ] This PR introduces changes to the database model, and I have added corresponding update logic- [ ] This PR introduces new or alters existing behavior, and I have updated the documentation accordingly