Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: modernize cvss score loading #4373

Merged
merged 4 commits into from
Aug 29, 2024
Merged

fix: modernize cvss score loading #4373

merged 4 commits into from
Aug 29, 2024

Conversation

terriko
Copy link
Contributor

@terriko terriko commented Aug 21, 2024
edited
Loading

Turns out our cvss score loading code was out of date and thus wasn't loading scores correctly and was throwing off a lot of log messages.

@terriko
fix: modernize cvss score loading
9917033 
* fixes intel#4370

Turns out our cvss score loading code was out of date and thus wasn't
loading scores correctly and was throwing off a lot of log messages.

Signed-off-by: Terri Oda <terri.oda@intel.com>
@terriko
fix: add some basic input validation just in case
c5237b3 
Signed-off-by: Terri Oda <terri.oda@intel.com>
@terriko
Copy link
Contributor Author

terriko commented Aug 27, 2024

Added some basic input validation on score/severity. The CVSS parsing library we're using will handle some input validation, but I'm doing some research to do some basic character filtering here before I declare this done.

@terriko
fix: add minimal cvss_vector character validation
a5a16a1 
Signed-off-by: Terri Oda <terri@toybox.ca>
@terriko
Copy link
Contributor Author

terriko commented Aug 28, 2024

Character filtering done! I think this is ready for review.

anthonyharrison
anthonyharrison previously requested changes Aug 28, 2024
View reviewed changes
Copy link
Contributor

@anthonyharrison anthonyharrison left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Change use of isdecimal() to validate basescore as basescore is a float.

@terriko
Copy link
Contributor Author

terriko commented Aug 28, 2024

@anthonyharrison I have done some more research and it turns out other than [0-9.] the other way to check if a string is a float in python is to just cast it to float() and see what happens. I'm amused.

@terriko terriko dismissed anthonyharrison’s stale review August 29, 2024 21:45

score validation fixed as recommended.

@terriko terriko merged commit 95714d8 into intel:main Aug 29, 2024
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nedsouza nedsouza nedsouza approved these changes

@anthonyharrison anthonyharrison Awaiting requested review from anthonyharrison

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fix: need cvss metrics parser update
3 participants
@terriko @anthonyharrison @nedsouza