Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Calculating Risk in VulnerableCode #1593

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Add support for Calculating Risk in VulnerableCode #1593

wants to merge 19 commits into from
+425 −0

Conversation

ziadhany
Copy link
Collaborator

@ziadhany ziadhany commented Sep 17, 2024
edited
Loading

issue: #1543

image

image

Screenshot from 2024-10-28 18-33-27

Screenshot from 2024-10-29 15-48-52

@ziadhany ziadhany marked this pull request as ready for review October 1, 2024 00:20
@TG1999 TG1999 added the 2-next label Oct 15, 2024
@DennisClark
Copy link
Member

it would be really great to see a review of this PR soon!

@ziadhany
Migrate ( metasploit, exploit-db, kev ) to aboutcode pipeline.
949c18c 
Set data_source as the header for the exploit table.
Squash the migration files into a single file.
Add test for exploit-db , metasploit
Add a missing migration file
Rename resources_and_notes to notes
Fix Api test
Refactor metasploit , exploitdb , kev improver
Rename Kev tab to exploit tab
Add support for exploitdb , metasploit, kev

Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Implement the appropriate LoopProgress progress bar.
0dbe640 
Refactor the error handling logic in the code.

Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Fix migration conflict
f5131b7 
Add pipeline_id for ( kev, metasploit, exploit-db )

Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Migrate ( metasploit, exploit-db, kev ) to aboutcode pipeline.
8394d1d 
Set data_source as the header for the exploit table.
Squash the migration files into a single file.
Add test for exploit-db , metasploit
Add a missing migration file
Rename resources_and_notes to notes
Fix Api test
Refactor metasploit , exploitdb , kev improver
Rename Kev tab to exploit tab
Add support for exploitdb , metasploit, kev

Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Implement the appropriate LoopProgress progress bar.
4b808d9 
Refactor the error handling logic in the code.

Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Remove unwanted migration file
6e67497 
Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Add support for Calculating Risk in VulnerableCode
2d9e585 
Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Remove unwanted migration file
22cdb76 
Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Add a prefetch to try to optimize query performance
8beb3b9 
Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Empty risk when there is no data
74a16ff 
Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Create a pipeline for package risk
8a637fc 
Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Load the weight once
848a5f5 
uncomment all importers

Signed-off-by: ziad hany <[email protected]>
@ziadhany ziadhany requested a review from TG1999 October 22, 2024 13:40
@TG1999
Copy link
Contributor

TG1999 commented Oct 28, 2024

@ziadhany this generally looks good to me, can we have some logs for the pipeline and some UI and API screenshots so we can merge it.

keshav-space
keshav-space requested changes Oct 28, 2024
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ziadhany, some nits for your consideration.
Also, please use LoopProgress while iterating over large records, as we do here

vulnerablecode/vulnerabilities/pipelines/enhance_with_exploitdb.py

Line 61 in 590c91a

progress = LoopProgress(total_iterations=fetched_exploit_count, logger=self.log)

vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/risk.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/risk.py Outdated Show resolved Hide resolved
vulnerabilities/models.py Outdated Show resolved Hide resolved
vulnerabilities/migrations/0074_package_risk.py Outdated Show resolved Hide resolved
vulnerabilities/risk.py Outdated Show resolved Hide resolved
@ziadhany
Update the risk description in the model. Rename the pipeline from Ri…
185eb0e 
…skPackagePipeline to ComputePackageRiskPipeline. Add a tooltip for risk, and remove any unused imports in the view.

Signed-off-by: ziad hany <[email protected]>
@ziadhany
Merge remote-tracking branch 'origin/risk' into risk
91c2c95
@ziadhany
Rename the pipeline step from add_risk_package to add_package_risk_sc…
45c62b5 
…ore and remove any extra whitespace in views.py.

Signed-off-by: ziad hany <[email protected]>
@ziadhany
Resolve migration conflict
0af9432 
Signed-off-by: ziad hany <[email protected]>
@ziadhany
Merge remote-tracking branch 'origin/main' into risk
d9fb46b
@ziadhany
Copy link
Collaborator Author

@TG1999 @keshav-space
Thank you for reviewing this PR. Here are the pipeline logs:

/home/ziad-hany/PycharmProjects/vulnerablecode/venv/bin/python /home/ziad-hany/PycharmProjects/vulnerablecode/manage.py improve localhost:8000 --all 
Improving data using compute_package_risk
INFO 2024-10-28 13:10:07.074 Pipeline [ComputePackageRiskPipeline] starting
INFO 2024-10-28 13:10:07.074 Step [add_risk_package] starting
INFO 2024-10-28 13:10:07.755 Calculating risk for 84,396 affected package records
INFO 2024-10-28 13:14:57.360 Progress: 10% (8440/84396) ETA: 2601 seconds (43.4 minutes)
INFO 2024-10-28 13:17:30.519 Progress: 20% (16880/84396) ETA: 1768 seconds (29.5 minutes)
INFO 2024-10-28 13:19:28.477 Progress: 30% (25319/84396) ETA: 1307 seconds (21.8 minutes)
INFO 2024-10-28 13:22:06.047 Progress: 40% (33759/84396) ETA: 1076 seconds (17.9 minutes)
INFO 2024-10-28 13:25:15.062 Progress: 50% (42198/84396) ETA: 907 seconds (15.1 minutes)
INFO 2024-10-28 13:30:57.706 Progress: 60% (50638/84396) ETA: 833 seconds (13.9 minutes)
INFO 2024-10-28 13:36:04.109 Progress: 70% (59078/84396) ETA: 667 seconds (11.1 minutes)
INFO 2024-10-28 13:39:06.350 Progress: 80% (67517/84396) ETA: 434 seconds (7.2 minutes)
INFO 2024-10-28 13:42:57.214 Progress: 90% (75957/84396) ETA: 219 seconds (3.6 minutes)
INFO 2024-10-28 13:48:50.555 Progress: 100% (84396/84396)
INFO 2024-10-28 13:48:50.694 Successfully added risk score for 84,396 package
INFO 2024-10-28 13:48:50.721 Step [add_risk_package] completed in 2324 seconds (38.7 minutes)
INFO 2024-10-28 13:48:50.721 Pipeline completed in 2324 seconds (38.7 minutes)

Process finished with exit code 0

@tdruez
Copy link
Contributor

tdruez commented Oct 29, 2024

@ziadhany @TG1999 Could we make a push on this one as this is a key addition for the VEX support in DejaCode.
Also, make sure it is available everywhere in the relevant API endpoint as we need to capture this data.

tdruez
tdruez requested changes Oct 29, 2024
View reviewed changes
vulnerabilities/models.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
keshav-space
keshav-space requested changes Oct 29, 2024
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ziadhany, see some suggestion.
Also, please rename the pipeline file from risk_package.py to compute_package_risk.py and the corresponding test file to test_compute_package_risk.py.

vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
vulnerabilities/pipelines/risk_package.py Outdated Show resolved Hide resolved
@ziadhany
Rename the pipeline file
0e114ac 
Add pagination and refactor bulk_update_package

Signed-off-by: ziad hany <[email protected]>
@ziadhany
Copy link
Collaborator Author

@tdruez @keshav-space, I've completed the requested changes and I hope we can move forward and merge this PR.

Additionally, please review the weight_config.json file to ensure an accurate view of the risk. The default weight is set to one and may need adjustment to reflect typical risk values if we plan to use it in Dejacode.

@pombredanne pombredanne assigned pombredanne and TG1999 and unassigned pombredanne Oct 31, 2024
@pombredanne pombredanne mentioned this pull request Oct 31, 2024
Open
keshav-space
keshav-space approved these changes Nov 5, 2024
View reviewed changes
Copy link
Member

@keshav-space keshav-space left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @ziadhany, looking good! I ran the pipeline locally and it worked alright.
Before we merge this, let's discuss the weight configuration in our community call today.
Also, we will need to revisit the risk computation once #1597 is resolved.

@DennisClark
Copy link
Member

DennisClark commented Nov 5, 2024
edited
Loading

note that @keshav-space is going to create a list of sources to expand the entries in weight-config.json and we'll take it from there. Please put suggested weights in the file. We probably also need a default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@keshav-space keshav-space keshav-space approved these changes

@TG1999 TG1999 Awaiting requested review from TG1999

@tdruez tdruez Awaiting requested review from tdruez

Requested changes must be addressed to merge this pull request.

Assignees

@TG1999 TG1999

Labels
2-next
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@ziadhany @DennisClark @TG1999 @tdruez @keshav-space @pombredanne