diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 1b65ece9..65036a82 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -53,6 +53,11 @@ Release notes new `data` dict. https://github.com/aboutcode-org/dejacode/issues/202 +- Add the `vulnerabilities_risk_threshold` field to the Product and + DataspaceConfiguration models. + This threshold helps prioritize and control the level of attention to vulnerabilities. + https://github.com/aboutcode-org/dejacode/issues/97 + ### Version 5.2.1 - Fix the models documentation navigation. diff --git a/dje/admin.py b/dje/admin.py index 7b5dcefc..ef7ae47c 100644 --- a/dje/admin.py +++ b/dje/admin.py @@ -1077,6 +1077,7 @@ class DataspaceConfigurationInline(DataspacedFKMixin, admin.StackedInline): "scancodeio_api_key", "vulnerablecode_url", "vulnerablecode_api_key", + "vulnerabilities_risk_threshold", "purldb_url", "purldb_api_key", ] diff --git a/dje/migrations/0005_dataspaceconfiguration_vulnerabilities_risk_threshold.py b/dje/migrations/0005_dataspaceconfiguration_vulnerabilities_risk_threshold.py new file mode 100644 index 00000000..84d78a91 --- /dev/null +++ b/dje/migrations/0005_dataspaceconfiguration_vulnerabilities_risk_threshold.py @@ -0,0 +1,18 @@ +# Generated by Django 5.0.9 on 2024-12-13 08:05 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('dje', '0004_dataspace_vulnerabilities_updated_at'), + ] + + operations = [ + migrations.AddField( + model_name='dataspaceconfiguration', + name='vulnerabilities_risk_threshold', + field=models.DecimalField(blank=True, decimal_places=1, help_text='Enter a risk value between 0.0 and 10.0. This threshold helps prioritize and control the level of attention to vulnerabilities.', max_digits=3, null=True), + ), + ] diff --git a/dje/models.py b/dje/models.py index ff997166..45ad43bc 100644 --- a/dje/models.py +++ b/dje/models.py @@ -391,6 +391,19 @@ def get_configuration(self, field_name=None): return getattr(configuration, field_name, None) return configuration + def set_configuration(self, field_name, value): + """ + Set the `value` for `field_name` on the DataspaceConfiguration linked + with this Dataspace instance. + """ + try: + configuration = self.configuration + except ObjectDoesNotExist: + configuration = DataspaceConfiguration(dataspace=self) + + setattr(configuration, field_name, value) + configuration.save() + @property def has_configuration(self): """Return True if an associated DataspaceConfiguration instance exists.""" @@ -473,6 +486,17 @@ class DataspaceConfiguration(models.Model): ), ) + vulnerabilities_risk_threshold = models.DecimalField( + null=True, + blank=True, + max_digits=3, + decimal_places=1, + help_text=_( + "Enter a risk value between 0.0 and 10.0. This threshold helps prioritize " + "and control the level of attention to vulnerabilities." + ), + ) + purldb_url = models.URLField( _("PurlDB URL"), max_length=1024, diff --git a/dje/templates/object_details_base.html b/dje/templates/object_details_base.html index 15d37841..2510698d 100644 --- a/dje/templates/object_details_base.html +++ b/dje/templates/object_details_base.html @@ -91,7 +91,7 @@

-
+
{% for tab_name, tab_context in tabsets.items %} {# IDs are prefixed with "tab_" to avoid autoscroll issue #}
diff --git a/dje/templates/tabs/pagination.html b/dje/templates/tabs/pagination.html index eb0dcc39..7003e8dd 100644 --- a/dje/templates/tabs/pagination.html +++ b/dje/templates/tabs/pagination.html @@ -1,6 +1,6 @@ {% load humanize %}
-
+
  • diff --git a/dje/tests/test_models.py b/dje/tests/test_models.py index a8950e57..3d74ce77 100644 --- a/dje/tests/test_models.py +++ b/dje/tests/test_models.py @@ -212,6 +212,11 @@ def test_dataspace_get_configuration(self): self.assertIsNone(self.dataspace.get_configuration("non_available_field")) + def test_dataspace_set_configuration(self): + self.dataspace.set_configuration("vulnerabilities_risk_threshold", 5.0) + self.dataspace.refresh_from_db() + self.assertEqual(5.0, self.dataspace.get_configuration("vulnerabilities_risk_threshold")) + def test_dataspace_has_configuration(self): self.assertFalse(self.dataspace.has_configuration) DataspaceConfiguration.objects.create(dataspace=self.dataspace) diff --git a/dje/tests/testfiles/test_dataset_pp_only.json b/dje/tests/testfiles/test_dataset_pp_only.json index 3c88ae44..9bcdb664 100644 --- a/dje/tests/testfiles/test_dataset_pp_only.json +++ b/dje/tests/testfiles/test_dataset_pp_only.json @@ -26,12 +26,12 @@ "vcs_url": "", "code_view_url": "", "bug_tracking_url": "", + "md5": "", + "sha1": "", "sha256": "", "sha512": "", "filename": "systemu-2.5.2.gem", "download_url": "https://s3.amazonaws.com/production.s3.rubygems.org/gems/systemu-2.5.2.gem", - "sha1": "", - "md5": "", "size": null, "release_date": null, "primary_language": "", @@ -98,7 +98,8 @@ "nexB", "addd9c5d-a5ec-48ec-a565-ddb81092f49d" ], - "contact": "" + "contact": "", + "vulnerabilities_risk_threshold": null } }, { diff --git a/product_portfolio/admin.py b/product_portfolio/admin.py index d2af4723..5fcb2c6a 100644 --- a/product_portfolio/admin.py +++ b/product_portfolio/admin.py @@ -362,6 +362,7 @@ class ProductAdmin( "is_active", "configuration_status", "contact", + "vulnerabilities_risk_threshold", "get_feature_datalist", ) }, diff --git a/product_portfolio/api.py b/product_portfolio/api.py index e8bc8b92..2610eb2f 100644 --- a/product_portfolio/api.py +++ b/product_portfolio/api.py @@ -137,6 +137,7 @@ class Meta: "primary_language", "admin_notes", "notice_text", + "vulnerabilities_risk_threshold", "created_date", "last_modified_date", ) diff --git a/product_portfolio/forms.py b/product_portfolio/forms.py index cc356f97..d634cd2d 100644 --- a/product_portfolio/forms.py +++ b/product_portfolio/forms.py @@ -122,6 +122,7 @@ class Meta: "configuration_status", "contact", "keywords", + "vulnerabilities_risk_threshold", ] field_classes = { "owner": OwnerChoiceField, @@ -170,6 +171,8 @@ def helper(self): HTML("
    "), Group("is_active", "configuration_status", "release_date"), HTML("
    "), + Group("vulnerabilities_risk_threshold", HTML(""), HTML("")), + HTML("
    "), Submit("submit", self.submit_label, css_class="btn-success"), self.save_as_new_submit, ), diff --git a/product_portfolio/migrations/0009_product_vulnerabilities_risk_threshold.py b/product_portfolio/migrations/0009_product_vulnerabilities_risk_threshold.py new file mode 100644 index 00000000..36658062 --- /dev/null +++ b/product_portfolio/migrations/0009_product_vulnerabilities_risk_threshold.py @@ -0,0 +1,18 @@ +# Generated by Django 5.0.9 on 2024-12-13 13:01 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('product_portfolio', '0008_productdependency_is_resolved_to_is_pinned'), + ] + + operations = [ + migrations.AddField( + model_name='product', + name='vulnerabilities_risk_threshold', + field=models.DecimalField(blank=True, decimal_places=1, help_text='Enter a risk value between 0.0 and 10.0. This threshold helps prioritize and control the level of attention to vulnerabilities.', max_digits=3, null=True), + ), + ] diff --git a/product_portfolio/models.py b/product_portfolio/models.py index ea255b06..17bc02a9 100644 --- a/product_portfolio/models.py +++ b/product_portfolio/models.py @@ -230,6 +230,17 @@ class Product(BaseProductMixin, FieldChangesMixin, KeywordsMixin, DataspacedMode ), ) + vulnerabilities_risk_threshold = models.DecimalField( + null=True, + blank=True, + max_digits=3, + decimal_places=1, + help_text=_( + "Enter a risk value between 0.0 and 10.0. This threshold helps prioritize " + "and control the level of attention to vulnerabilities." + ), + ) + licenses = models.ManyToManyField( to="license_library.License", through="ProductAssignedLicense", @@ -338,6 +349,16 @@ def all_packages(self): def vulnerability_count(self): return self.get_vulnerability_qs().count() + def get_vulnerabilities_risk_threshold(self): + """ + Return the local vulnerabilities_risk_threshold value when defined on the + Product or look into the Dataspace configuration. + """ + risk_threshold = self.vulnerabilities_risk_threshold + if not risk_threshold: + risk_threshold = self.dataspace.get_configuration("vulnerabilities_risk_threshold") + return risk_threshold + def get_merged_descendant_ids(self): """ Return a list of Component ids collected on the Product descendants: @@ -527,7 +548,7 @@ def fetch_vulnerabilities(self): """Fetch and update the vulnerabilties of all the Package of this Product.""" return fetch_for_packages(self.all_packages, self.dataspace) - def get_vulnerability_qs(self, prefetch_related_packages=False): + def get_vulnerability_qs(self, prefetch_related_packages=False, risk_threshold=None): """Return a QuerySet of all Vulnerability instances related to this product""" from vulnerabilities.models import Vulnerability from vulnerabilities.models import VulnerabilityAnalysis @@ -536,6 +557,9 @@ def get_vulnerability_qs(self, prefetch_related_packages=False): affected_packages__in=self.packages.all() ).distinct() + if risk_threshold: + vulnerability_qs = vulnerability_qs.filter(risk_score__gte=risk_threshold) + if prefetch_related_packages: package_qs = Package.objects.filter(product=self).only_rendering_fields() analysis_qs = VulnerabilityAnalysis.objects.filter(product=self).select_related( diff --git a/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html b/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html index 585b79c4..b3c89588 100644 --- a/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html +++ b/product_portfolio/templates/product_portfolio/tabs/tab_vulnerabilities.html @@ -2,6 +2,14 @@ {% load as_icon from dje_tags %} {% include 'tabs/pagination.html' %} + +{% if risk_threshold %} + + A risk threshold filter at "{{ risk_threshold }}" is currently applied. + Click here to see all vulnerabilities. + +{% endif %} + {% include 'includes/object_list_table_header.html' with filter=filterset include_actions=True %} @@ -76,7 +84,7 @@
    {% if package.vulnerability_analysis.is_reachable %} - + {% elif package.vulnerability_analysis.is_reachable is False %} {% endif %} diff --git a/product_portfolio/tests/test_models.py b/product_portfolio/tests/test_models.py index c6e7b247..30362be1 100644 --- a/product_portfolio/tests/test_models.py +++ b/product_portfolio/tests/test_models.py @@ -508,8 +508,12 @@ def test_product_model_improve_packages_from_purldb(self, mock_update_from_purld def test_product_model_get_vulnerability_qs(self): package1 = make_package(self.dataspace) package2 = make_package(self.dataspace) - vulnerability1 = make_vulnerability(self.dataspace, affecting=[package1, package2]) - vulnerability2 = make_vulnerability(self.dataspace, affecting=[package1, package2]) + vulnerability1 = make_vulnerability( + self.dataspace, affecting=[package1, package2], risk_score=10.0 + ) + vulnerability2 = make_vulnerability( + self.dataspace, affecting=[package1, package2], risk_score=1.0 + ) make_product_package(self.product1, package=package1) make_product_package(self.product1, package=package2) @@ -519,6 +523,12 @@ def test_product_model_get_vulnerability_qs(self): self.assertIn(vulnerability1, queryset) self.assertIn(vulnerability2, queryset) + queryset = self.product1.get_vulnerability_qs(risk_threshold=5.0) + # Makeing sure the distinct() is properly applied + self.assertEqual(1, len(queryset)) + self.assertIn(vulnerability1, queryset) + self.assertNotIn(vulnerability2, queryset) + def test_product_model_vulnerability_count_property(self): self.assertEqual(0, self.product1.vulnerability_count) @@ -534,6 +544,15 @@ def test_product_model_vulnerability_count_property(self): self.product1 = Product.unsecured_objects.get(pk=self.product1.pk) self.assertEqual(2, self.product1.vulnerability_count) + def test_product_model_get_vulnerabilities_risk_threshold(self): + self.assertIsNone(self.product1.get_vulnerabilities_risk_threshold()) + + self.product1.dataspace.set_configuration("vulnerabilities_risk_threshold", 5.0) + self.assertEqual(5.0, self.product1.get_vulnerabilities_risk_threshold()) + + self.product1.update(vulnerabilities_risk_threshold=10.0) + self.assertEqual(10.0, self.product1.get_vulnerabilities_risk_threshold()) + def test_productcomponent_model_license_expression_handle_assigned_licenses(self): p1 = ProductComponent.objects.create( product=self.product1, name="p1", dataspace=self.dataspace diff --git a/product_portfolio/tests/test_views.py b/product_portfolio/tests/test_views.py index 7d136da2..822025a1 100644 --- a/product_portfolio/tests/test_views.py +++ b/product_portfolio/tests/test_views.py @@ -353,9 +353,32 @@ def test_product_portfolio_tab_vulnerability_view_queries(self): make_vulnerability_analysis(product_package2, vulnerability2) url = product1.get_url("tab_vulnerabilities") - with self.assertNumQueries(9): + with self.assertNumQueries(10): self.client.get(url) + def test_product_portfolio_tab_vulnerability_risk_threshold(self): + self.client.login(username="nexb_user", password="secret") + + p1 = make_package(self.dataspace) + vulnerability1 = make_vulnerability(self.dataspace, affecting=[p1], risk_score=1.0) + vulnerability2 = make_vulnerability(self.dataspace, affecting=[p1], risk_score=5.0) + product1 = make_product(self.dataspace) + make_product_package(product1, package=p1) + url = product1.get_url("tab_vulnerabilities") + + response = self.client.get(url) + self.assertContains(response, vulnerability1.vcid) + self.assertContains(response, vulnerability2.vcid) + self.assertContains(response, "2 results") + self.assertNotContains(response, "A risk threshold filter at") + + product1.update(vulnerabilities_risk_threshold=3.0) + response = self.client.get(url) + self.assertNotContains(response, vulnerability1.vcid) + self.assertContains(response, vulnerability2.vcid) + self.assertContains(response, "1 results") + self.assertContains(response, 'A risk threshold filter at "3.0" is currently applied.') + def test_product_portfolio_tab_vulnerability_view_analysis_rendering(self): self.client.login(username="nexb_user", password="secret") # Each have a unique vulnerability, and p1 p2 are sharing a common one. diff --git a/product_portfolio/views.py b/product_portfolio/views.py index 10437edd..3c5ea1d7 100644 --- a/product_portfolio/views.py +++ b/product_portfolio/views.py @@ -391,6 +391,7 @@ def tab_essentials(self): TabField("primary_language"), TabField("release_date"), TabField("contact"), + TabField("vulnerabilities_risk_threshold", condition=bool), TabField("vcs_url", value_func=urlize_target_blank), TabField("code_view_url", value_func=urlize_target_blank), TabField("bug_tracking_url", value_func=urlize_target_blank), @@ -531,8 +532,9 @@ def tab_dependencies(self): } def tab_vulnerabilities(self): - dataspace = self.object.dataspace - vulnerablecode = VulnerableCode(self.object.dataspace) + product = self.object + dataspace = product.dataspace + vulnerablecode = VulnerableCode(dataspace) display_tab_contions = [ dataspace.enable_vulnerablecodedb_access, vulnerablecode.is_configured(), @@ -540,7 +542,12 @@ def tab_vulnerabilities(self): if not all(display_tab_contions): return - vulnerability_count = self.object.vulnerability_count + if self.request.GET.get("vulnerabilities-bypass_risk_threshold"): + risk_threshold = None + else: + risk_threshold = product.get_vulnerabilities_risk_threshold() + + vulnerability_count = product.get_vulnerability_qs(risk_threshold=risk_threshold).count() if not vulnerability_count: label = 'Vulnerabilities 0' return { @@ -555,7 +562,7 @@ def tab_vulnerabilities(self): ) # Pass the current request query context to the async request - tab_view_url = self.object.get_url("tab_vulnerabilities") + tab_view_url = product.get_url("tab_vulnerabilities") if full_query_string := self.request.META["QUERY_STRING"]: tab_view_url += f"?{full_query_string}" @@ -1151,9 +1158,17 @@ class ProductTabVulnerabilitiesView( def get_context_data(self, **kwargs): product = self.object - total_count = product.get_vulnerability_qs().count() + + if self.request.GET.get("vulnerabilities-bypass_risk_threshold"): + risk_threshold = None + else: + risk_threshold = product.get_vulnerabilities_risk_threshold() + + total_count = product.get_vulnerability_qs(risk_threshold=risk_threshold).count() vulnerability_qs = ( - product.get_vulnerability_qs(prefetch_related_packages=True) + product.get_vulnerability_qs( + prefetch_related_packages=True, risk_threshold=risk_threshold + ) .annotate(affected_packages_count=Count("affected_packages")) .order_by_risk() ) @@ -1189,6 +1204,7 @@ def get_context_data(self, **kwargs): "page_obj": page_obj, "total_count": total_count, "search_query": self.request.GET.get("vulnerabilities-q", ""), + "risk_threshold": risk_threshold, } )