Skip to content

Restore severity details tab #2059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TG1999 merged 1 commit into from
Dec 19, 2025
Merged

Restore severity details tab #2059

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions vulnerabilities/migrations/0106_alter_advisoryreference_url_and_more.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# Generated by Django 4.2.25 on 2025-12-19 08:31

from django.db import migrations, models


class Migration(migrations.Migration):

dependencies = [
("vulnerabilities", "0105_packagecommitpatch_patch_and_more"),
]

operations = [
migrations.AlterField(
model_name="advisoryreference",
name="url",
field=models.URLField(help_text="URL to the vulnerability reference", max_length=1024),
),
migrations.AlterField(
model_name="advisoryseverity",
name="value",
field=models.CharField(
help_text="Example: 9.0, Important, High", max_length=50, null=True
),
),
migrations.AlterField(
model_name="advisoryweakness",
name="cwe_id",
field=models.IntegerField(help_text="CWE id", unique=True),
),
migrations.AlterUniqueTogether(
name="advisoryreference",
unique_together={("url", "reference_type")},
),
migrations.AlterUniqueTogether(
name="advisoryseverity",
unique_together={
("url", "scoring_system", "value", "scoring_elements", "published_at")
},
),
migrations.AddConstraint(
model_name="advisoryseverity",
constraint=models.CheckConstraint(
check=models.Q(
models.Q(("value__isnull", False), models.Q(("value", ""), _negated=True)),
models.Q(
("scoring_elements__isnull", False),
models.Q(("scoring_elements", ""), _negated=True),
),
_connector="OR",
),
name="scoring_elements_or_value_must_be_set",
),
),
]
17 changes: 14 additions & 3 deletions vulnerabilities/models.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2573,7 +2573,8 @@ class AdvisorySeverity(models.Model):
),
)

value = models.CharField(max_length=50, help_text="Example: 9.0, Important, High")
# A severity value might be missing and it may just contain scoring_elements only
value = models.CharField(max_length=50, help_text="Example: 9.0, Important, High", null=True)

scoring_elements = models.CharField(
max_length=150,
Expand All @@ -2591,6 +2592,16 @@ class AdvisorySeverity(models.Model):
class Meta:
verbose_name_plural = "Advisory severities"
ordering = ["url", "scoring_system", "value"]
unique_together = ("url", "scoring_system", "value", "scoring_elements", "published_at")
constraints = [
models.CheckConstraint(
check=(
Q(value__isnull=False) & ~Q(value="")
| Q(scoring_elements__isnull=False) & ~Q(scoring_elements="")
),
name="scoring_elements_or_value_must_be_set",
)
]

def to_dict(self):
return {
Expand All @@ -2612,7 +2623,7 @@ class AdvisoryWeakness(models.Model):
A weakness is a software weakness that is associated with a vulnerability.
"""

cwe_id = models.IntegerField(help_text="CWE id")
cwe_id = models.IntegerField(help_text="CWE id", unique=True)

cwe_by_id = {}

Expand Down Expand Up @@ -2659,7 +2670,6 @@ class AdvisoryReference(models.Model):
url = models.URLField(
max_length=1024,
help_text="URL to the vulnerability reference",
unique=True,
)

ADVISORY = "advisory"
Expand Down Expand Up @@ -2689,6 +2699,7 @@ class AdvisoryReference(models.Model):

class Meta:
ordering = ["reference_id", "url", "reference_type"]
unique_together = ("url", "reference_type")

def __str__(self):
reference_id = f" {self.reference_id}" if self.reference_id else ""
Expand Down
28 changes: 28 additions & 0 deletions vulnerabilities/pipelines/v2_importers/gitlab_importer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,9 @@
from vulnerabilities.importer import AdvisoryData
from vulnerabilities.importer import AffectedPackageV2
from vulnerabilities.importer import ReferenceV2
from vulnerabilities.importer import VulnerabilitySeverity
from vulnerabilities.pipelines import VulnerableCodeBaseImporterPipelineV2
from vulnerabilities.severity_systems import SCORING_SYSTEMS
from vulnerabilities.utils import build_description
from vulnerabilities.utils import get_advisory_url
from vulnerabilities.utils import get_cwe_id
Expand Down Expand Up @@ -291,6 +293,31 @@ def parse_gitlab_advisory(
fixed_version_range=fixed_version_range,
)

cvss_v2 = gitlab_advisory.get("cvss_v2")
cvss_v3 = gitlab_advisory.get("cvss_v3")
severities = []
if cvss_v2:
severities.append(
VulnerabilitySeverity(
system=SCORING_SYSTEMS["cvssv2"],
scoring_elements=cvss_v2,
value=None,
url=advisory_url,
)
)
if cvss_v3:
scoring_system = SCORING_SYSTEMS["cvssv3"]
if cvss_v3.startswith("CVSS:3.1/"):
scoring_system = SCORING_SYSTEMS["cvssv3.1"]
severities.append(
VulnerabilitySeverity(
system=scoring_system,
scoring_elements=cvss_v3,
value=None,
url=advisory_url,
)
)

return AdvisoryData(
advisory_id=advisory_id,
aliases=aliases,
Expand All @@ -299,6 +326,7 @@ def parse_gitlab_advisory(
date_published=date_published,
affected_packages=[affected_package],
weaknesses=cwe_list,
severities=severities,
url=advisory_url,
original_advisory_text=json.dumps(gitlab_advisory, indent=2, ensure_ascii=False),
)
2 changes: 2 additions & 0 deletions vulnerabilities/pipelines/v2_importers/npm_importer.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ def to_advisory_data(self, file: Path) -> Iterable[AdvisoryData]:
severities.append(
VulnerabilitySeverity(
system=CVSSV3,
scoring_elements=cvss_vector,
value=cvss_score,
url=f"https://github.com/nodejs/security-wg/blob/main/vuln/npm/{id}.json",
)
Expand All @@ -97,6 +98,7 @@ def to_advisory_data(self, file: Path) -> Iterable[AdvisoryData]:
VulnerabilitySeverity(
system=CVSSV2,
value=cvss_score,
scoring_elements=cvss_vector,
url=f"https://github.com/nodejs/security-wg/blob/main/vuln/npm/{id}.json",
)
)
Expand Down
5 changes: 2 additions & 3 deletions vulnerabilities/pipelines/v2_improvers/collect_ssvc_trees.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@
from vulnerabilities.models import AdvisorySeverity
from vulnerabilities.models import AdvisoryV2
from vulnerabilities.pipelines import VulnerableCodePipeline
from vulnerabilities.pipelines.v2_importers.vulnrichment_importer import VulnrichImporterPipeline
from vulnerabilities.severity_systems import SCORING_SYSTEMS

logger = logging.getLogger(__name__)
Expand All @@ -38,7 +37,6 @@ def steps(cls):
def collect_ssvc_data(self):
vulnrichment_advisories = (
AdvisoryV2.objects.filter(
datasource_id=VulnrichImporterPipeline.pipeline_id,
severities__scoring_system=SCORING_SYSTEMS["ssvc"],
)
.distinct()
Expand All @@ -59,6 +57,7 @@ def collect_ssvc_data(self):
self.log(f"Processing advisory: {advisory.advisory_id}")
for severity in advisory.severities.all():
ssvc_vector = severity.scoring_elements
self.log(f"SSVC Vector found: {ssvc_vector}")
try:
ssvc_tree, decision = convert_vector_to_tree_and_decision(ssvc_vector)
self.log(
Expand All @@ -78,7 +77,7 @@ def collect_ssvc_data(self):
).distinct()
related_advisories = related_advisories.exclude(id=advisory.id)
ssvc_obj.related_advisories.set(related_advisories)
except ValueError as e:
except Exception as e:
logger.error(
f"Failed to parse SSVC vector '{ssvc_vector}' for advisory '{advisory}': {e}"
)
Expand Down
21 changes: 11 additions & 10 deletions vulnerabilities/pipes/advisory.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -85,16 +85,17 @@ def get_or_create_advisory_severities(severities: List) -> QuerySet:
severity_objs = []
for severity in severities:
published_at = str(severity.published_at) if severity.published_at else None
sev, _ = AdvisorySeverity.objects.get_or_create(
scoring_system=severity.system.identifier,
value=severity.value,
scoring_elements=severity.scoring_elements,
defaults={
"published_at": published_at,
},
url=severity.url,
)
severity_objs.append(sev)
if severity.scoring_elements or severity.value:
sev, _ = AdvisorySeverity.objects.get_or_create(
scoring_system=severity.system.identifier,
value=severity.value,
scoring_elements=severity.scoring_elements,
defaults={
"published_at": published_at,
},
url=severity.url,
)
severity_objs.append(sev)
return AdvisorySeverity.objects.filter(id__in=[severity.id for severity in severity_objs])


Expand Down
2 changes: 2 additions & 0 deletions vulnerabilities/risk.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,8 @@ def get_weighted_severity(severities):
weight = WEIGHT_CONFIG.get(severity_source, DEFAULT_WEIGHT)
max_weight = float(weight) / 10
vul_score = severity.value
if not vul_score:
continue
try:
vul_score = float(vul_score)
vul_score_value = vul_score * max_weight
Expand Down
104 changes: 104 additions & 0 deletions vulnerabilities/templates/advisory_detail.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,6 +63,14 @@
</a>
</li>

<li data-tab="severities-vectors">
<a>
<span>
Severity details ({{ severity_vectors|length }})
</span>
</a>
</li>

{% if ssvcs %}
<li data-tab="ssvcs">
<a>
Expand Down Expand Up @@ -450,6 +458,102 @@
{% endif %}
</div>

<div class="tab-div content" data-content="severities-vectors">
{% for severity_vector in severity_vectors %}
{% if severity_vector.vector.version == '2.0' %}
Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
<tr>
<th>Exploitability (E)</th>
<th>Access Vector (AV)</th>
<th>Access Complexity (AC)</th>
<th>Authentication (Au)</th>
<th>Confidentiality Impact (C)</th>
<th>Integrity Impact (I)</th>
<th>Availability Impact (A)</th>
</tr>
<tr>
<td>{{ severity_vector.vector.exploitability|cvss_printer:"high,functional,unproven,proof_of_concept,not_defined" }}</td>
<td>{{ severity_vector.vector.accessVector|cvss_printer:"local,adjacent_network,network" }}</td>
<td>{{ severity_vector.vector.accessComplexity|cvss_printer:"high,medium,low" }}</td>
<td>{{ severity_vector.vector.authentication|cvss_printer:"multiple,single,none" }}</td>
<td>{{ severity_vector.vector.confidentialityImpact|cvss_printer:"none,partial,complete" }}</td>
<td>{{ severity_vector.vector.integrityImpact|cvss_printer:"none,partial,complete" }}</td>
<td>{{ severity_vector.vector.availabilityImpact|cvss_printer:"none,partial,complete" }}</td>
</tr>
</table>
{% elif severity_vector.vector.version == '3.1' or severity_vector.vector.version == '3.0'%}
Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
<tr>
<th>Attack Vector (AV)</th>
<th>Attack Complexity (AC)</th>
<th>Privileges Required (PR)</th>
<th>User Interaction (UI)</th>
<th>Scope (S)</th>
<th>Confidentiality Impact (C)</th>
<th>Integrity Impact (I)</th>
<th>Availability Impact (A)</th>
</tr>
<tr>
<td>{{ severity_vector.vector.attackVector|cvss_printer:"network,adjacent_network,local,physical"}}</td>
<td>{{ severity_vector.vector.attackComplexity|cvss_printer:"low,high" }}</td>
<td>{{ severity_vector.vector.privilegesRequired|cvss_printer:"none,low,high" }}</td>
<td>{{ severity_vector.vector.userInteraction|cvss_printer:"none,required"}}</td>
<td>{{ severity_vector.vector.scope|cvss_printer:"unchanged,changed" }}</td>
<td>{{ severity_vector.vector.confidentialityImpact|cvss_printer:"high,low,none" }}</td>
<td>{{ severity_vector.vector.integrityImpact|cvss_printer:"high,low,none" }}</td>
<td>{{ severity_vector.vector.availabilityImpact|cvss_printer:"high,low,none" }}</td>
</tr>
</table>
{% elif severity_vector.vector.version == '4' %}
Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
<tr>
<th>Attack Vector (AV)</th>
<th>Attack Complexity (AC)</th>
<th>Attack Requirements (AT)</th>
<th>Privileges Required (PR)</th>
<th>User Interaction (UI)</th>

<th>Vulnerable System Impact Confidentiality (VC)</th>
<th>Vulnerable System Impact Integrity (VI)</th>
<th>Vulnerable System Impact Availability (VA)</th>

<th>Subsequent System Impact Confidentiality (SC)</th>
<th>Subsequent System Impact Integrity (SI)</th>
<th>Subsequent System Impact Availability (SA)</th>
</tr>
<tr>
<td>{{ severity_vector.vector.attackVector|cvss_printer:"network,adjacent,local,physical"}}</td>
<td>{{ severity_vector.vector.attackComplexity|cvss_printer:"low,high" }}</td>
<td>{{ severity_vector.vector.attackRequirement|cvss_printer:"none,present" }}</td>
<td>{{ severity_vector.vector.privilegesRequired|cvss_printer:"none,low,high" }}</td>
<td>{{ severity_vector.vector.userInteraction|cvss_printer:"none,passive,active"}}</td>

<td>{{ severity_vector.vector.vulnerableSystemImpactConfidentiality|cvss_printer:"high,low,none" }}</td>
<td>{{ severity_vector.vector.vulnerableSystemImpactIntegrity|cvss_printer:"high,low,none" }}</td>
<td>{{ severity_vector.vector.vulnerableSystemImpactAvailability|cvss_printer:"high,low,none" }}</td>

<td>{{ severity_vector.vector.subsequentSystemImpactConfidentiality|cvss_printer:"high,low,none" }}</td>
<td>{{ severity_vector.vector.subsequentSystemImpactIntegrity|cvss_printer:"high,low,none" }}</td>
<td>{{ severity_vector.vector.subsequentSystemImpactAvailability|cvss_printer:"high,low,none" }}</td>
</tr>
</table>
{% elif severity_vector.vector.version == 'ssvc' %}
<hr/>
Vector: {{ severity_vector.vector.vectorString }} Found at <a href="{{ severity_vector.origin }}" target="_blank">{{ severity_vector.origin }}</a>
<hr/>
{% endif %}
{% empty %}
<tr>
<td>
There are no known vectors.
</td>
</tr>
{% endfor %}
</div>

<div class="tab-div content" data-content="ssvcs">
{% if ssvcs %}
{% for ssvc in ssvcs %}
Expand Down
Loading
Loading