-
Notifications
You must be signed in to change notification settings - Fork 201
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for CWE #782
Add support for CWE #782
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would need to be rebased... also you may want to remove the UI part to treat it separately as the UI has changed extensively!
Also could we also get the CWE from the NVD importer? or is this something for later?
Finally two other considerations:
- the CWE library maintainer has not much replied to data, so if we need this we would have to fok it
- is there something else beyond CWE that would be about a more general concept of categories?
ok, no problem I will change this, but what about editing all importers not just NVD, I think I could handle this in a separate pull request.
oops, yes we can fork it. it isn't a complicated library, all data come from this database, we need to make sure the database is updated so I think we should use this link
I don't know but the main three categories are
some External Mappings :
|
89ff4d0
to
24a919b
Compare
@ziadhany the cwe2 library is ready now: https://pypi.org/project/cwe2/ |
3b2c98c
to
550788f
Compare
<div class="tab-nested-div"> | ||
<table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border"> | ||
<tr> | ||
<th> CWE id </th> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Use plain CWE
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here are a few nitpickings for your review
vulnerabilities/importers/nvd.py
Outdated
""" | ||
weaknesses = [] | ||
for weaknesses in get_item(self.cve_item, "cve", "problemtype", "problemtype_data") or []: | ||
weaknesses_description = weaknesses.get("description") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
weaknesses_description = weaknesses.get("description") | |
weaknesses_description = weaknesses.get("description") or [] | |
vulnerabilities/importers/nvd.py
Outdated
for weaknesses in get_item(self.cve_item, "cve", "problemtype", "problemtype_data") or []: | ||
weaknesses_description = weaknesses.get("description") | ||
for weaknesses_value in weaknesses_description: | ||
cwe_id = get_cwe_id(weaknesses_value.get("value")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would skip weaknesses_description if the lang is not "en"
vulnerabilities/improve_runner.py
Outdated
@@ -133,6 +134,10 @@ def process_inferences(inferences: List[Inference], advisory: Advisory, improver | |||
fix=True, | |||
).update_or_create() | |||
|
|||
if inference.weaknesses: | |||
for cwe_id in inference.weaknesses: | |||
Weakness.objects.update_or_create(cwe_id=cwe_id, vulnerabilities=vulnerability) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is vulnerabilities plural and receiving a single vulnerability?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think because we improve vulnerability one by one . Can you suggest any way to do this?
vulnerabilities/models.py
Outdated
@property | ||
def name(self): | ||
"""Return the weakness's name.""" | ||
db = Database() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be a class member instead
vulnerabilities/models.py
Outdated
@@ -249,6 +250,25 @@ def get_related_purls(self): | |||
return [p.package_url for p in self.packages.distinct().all()] | |||
|
|||
|
|||
class Weakness(models.Model): | |||
cwe_id = models.IntegerField() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need a help text
52b1aeb
to
3ddaccf
Compare
@ziadhany Could you rebase or merge on the latest main branch? |
818945c
to
5080ea3
Compare
Remove the weaknesses table header Fix expected_files tests Fix all test cases Add CWE support for NVD importer Fix migration conflict Add Weakness model Fix requirements.txt , Fix migration conflict Add cwe name instead of Hyperlinks Add nexB/cwe package Fix test , remove empty lines Add CWE in the new UI Signed-off-by: ziadhany <[email protected]>
Signed-off-by: ziadhany <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
Reference: #651
Signed-off-by: Ziad [email protected]