CRAVEX: Vulnerability Lookup and base app

[pombredanne]

We should create a base Vulnerability application management in DejaCode with these features:

• CRAVEX: Create a scheduler for vulnerability lookups that will lookup in VCIO
• CRAVEX: Store vulnerability lookups in a set of database models.

Also these related VCIO issues:

• VCIO-next: API performance issues (vulnerabilities endpoint) vulnerablecode#1492
• VCIO-next: API performance issues (packages endpoints) vulnerablecode#1538

[DennisClark]

@pombredanne I would like to assign this one to Ziad but cannot see him on the Assignees list. Any suggestions please?

[DennisClark]

See https://github.com/nexB/vulnerablecode/blob/main/vulnerabilities/models.py and design the appropriate mapping to DejaCode.

[DennisClark]

A "scheduler" is a fairly new concept/feature for DejaCode. We need to determine if there is a usable Django library to facilitate creating such a feature. As a working start, let's consider a new section of the DejaCode admin Dashboard, right under the "Imports" section, called "Scheduler" (or similar), that has an initial option for "Refresh Vulnerabilities" (or similar) where the admin user can define the frequency and scope of the vulnerability refresh process to be run on an automatic basis.

Assumption: the basic scope of the vulnerability lookup is to find vulnerabilities associated with Packages and Components currently defined in the relevant DejaCode dataspace. This could be further refined to include only those that are assigned to a Product in that dataspace.

The scheduler should also include a task to update Components defined in the relevant dataspace with CPE values as those become available.

[DennisClark]

The proposed vulnerability model in DejaCode should be designed to support queries such as:

• a filter-enabled list of all the Versions of a Component Name currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
• a filter-enabled list of all the Versions of a Package currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
• a filter-enabled list of all the Versions of a Product currently defined in the relevant dataspace, showing which ones have known vulnerabilities.
• for a Vulnerability (using the same ID as VulnerableCode), provide a filter-enabled list of all packages or components in the relevant dataspace that are associated with it
• for a Vulnerability (using the same ID as VulnerableCode), provide a filter-enabled list of all products in the relevant dataspace that are impacted by it
• and others to be identified of course