Merge pull request #461 from RedHatProductSecurity/task/OSIDB-cvss-se…

…ction-extension

OSIDB-3546: CVSS Section extension

CHANGELOG.md

@@ -1,6 +1,9 @@
 # OSIM Changelog
 
 ## [Unreleased]
+### Added
+* Added new CVSS versions and issuers on flaw form (`OSIDB-3546`)
+
 ### Changed
 * Allow empty impact on flaw (`OSIDB-3596`)
 
@@ -19,6 +22,9 @@
 * Use UTC time for created date on flaw list (`OSIDB-3478`)
 * Automatically reset affect's delegated resolution when affectedness is set to not affected (`OSIDB-3533`)
 
+### Changed
+* Display NVD CVSS when it is available (`OSIDB-3546`)
+
 ## [2024.9.2]
 ### Added
 * Add query filter support on advance search (`OSIDB-3088`)

eslint.config.mjs

@@ -38,6 +38,7 @@ export default tseslint.config(
       '**/generated-client/**',
       '**/mock-server/**',
       '**/*.snap',
+      '**/coverage/**',
     ],
   },
   eslint.configs.recommended,

src/components/CvssCalculator.vue

@@ -115,7 +115,7 @@ function handlePaste(e: ClipboardEvent) {
     <div class="osim-input vector-row mb-2">
       <label class="label-group row">
         <span class="form-label col-3">
-          CVSSv3
+          RH CVSSv3
         </span>
         <div class="input-wrapper col">
           <div

src/components/CvssExplainForm.vue

@@ -4,11 +4,12 @@ import { computed, ref } from 'vue';
 import LabelCollapsible from '@/components/widgets/LabelCollapsible.vue';
 
 import type { ZodFlawType } from '@/types/zodFlaw';
+import { IssuerEnum } from '@/generated-client';
 
 const modelValue = defineModel<ZodFlawType>({ required: true });
 
 const rhCvss = computed(() => modelValue.value?.cvss_scores
-  .findIndex(cvss => cvss.issuer === 'RH'
+  .findIndex(cvss => cvss.issuer === IssuerEnum.Rh
   && cvss.cvss_version === 'V3'));
 
 const isExpanded = ref(false);

src/components/CvssNISTForm.vue

@@ -10,9 +10,9 @@ import { useUserStore } from '@/stores/UserStore';
 
 const props = defineProps<{
   bugzilla?: string;
-  cveid?: null | string;
+  cveId?: null | string;
   cvss?: string;
-  nistcvss?: string;
+  nistCvss?: string;
   summary?: null | string;
 }>();
 
@@ -21,20 +21,20 @@ const { closeModal, isModalOpen, openModal } = useModal();
 
 const toEmail = '[email protected]';
 const ccEmail = '[email protected]';
-const subject = computed(() => `CVSS Rescore Request - ${props.cveid}`);
+const subject = computed(() => `CVSS Rescore Request - ${props.cveId}`);
 const emailBody = computed(() => `Hello,
 
-I have performed an analysis of ${props.cveid} on behalf of Red Hat Product Security,
+I have performed an analysis of ${props.cveId} on behalf of Red Hat Product Security,
 resulting in a Red Hat CVSS score which is different from the NIST score.
 Our information and analysis is included below,
 and we would appreciate your consideration and review.
 
-CVE : ${props.cveid}
+CVE : ${props.cveId}
 
 Red Hat Bugzilla: ${props.bugzilla}
-NVD Page: https://nvd.nist.gov/vuln/detail/${props.cveid}
+NVD Page: https://nvd.nist.gov/vuln/detail/${props.cveId}
 Red Hat CVSS: ${props.cvss}
-NIST CVSS: ${props.nistcvss}
+NIST CVSS: ${props.nistCvss}
 
 Flaw Summary: 
 ${props.summary}
@@ -83,7 +83,6 @@ function openMailto() {
           </div>
           <hr />
         </div>
-
         <LabelTextarea v-model="emailBody" label="Body:" />
       </template>
       <template #footer>

src/components/CvssSection.vue

@@ -0,0 +1,89 @@
+<script setup lang="ts">
+import { computed, ref } from 'vue';
+
+import CvssNISTForm from '@/components/CvssNISTForm.vue';
+import LabelDiv from '@/components/widgets/LabelDiv.vue';
+
+import { issuerLabels } from '@/composables/useFlawCvssScores';
+
+import type { ZodFlawCVSSType } from '@/types/zodFlaw';
+import { IssuerEnum } from '@/generated-client';
+
+const props = defineProps<{
+  allCvss: ZodFlawCVSSType[];
+  bugzilla: string;
+  cveId: null | string;
+  cvss: string;
+  highlightedNvdCvss3String: { char: null | string; isHighlighted: boolean }[][];
+  nistCvss: string;
+  shouldDisplayEmailNistForm: boolean;
+  summary: string;
+}>();
+
+const showAllCvss = ref(false);
+
+const otherCvss = computed(() => props.allCvss.filter(cvssItem =>
+  (!(cvssItem.cvss_version === 'V3' && (cvssItem.issuer === IssuerEnum.Rh || cvssItem.issuer === IssuerEnum.Nist)))));
+</script>
+
+<template>
+  <div>
+    <LabelDiv label="NVD CVSSv3" class="mb-2">
+      <template v-if="otherCvss && otherCvss.length > 0" #labelSlot>
+        <button
+          class="btn btn-sm me-auto border-0"
+          type="button"
+          :title="(showAllCvss ? 'Hide' : 'Show') + ' all available CVSS versions and issuers'"
+          @click="() => showAllCvss = !showAllCvss"
+        >
+          <i :class="showAllCvss ? 'bi bi-caret-down' : 'bi bi-caret-right'" style="font-size: 2.25ch;" />
+        </button>
+      </template>
+      <div class="d-flex flex-row">
+        <div class="form-control text-break h-auto" :class="shouldDisplayEmailNistForm ? 'rounded-0' : ''">
+          <template v-if="cvss">
+            <template v-for="(chars, index) in highlightedNvdCvss3String" :key="index">
+              <span v-if="chars[0].isHighlighted" class="text-primary">
+                {{ chars.map(c => c.char).join('') }}
+              </span>
+              <template v-else>{{ chars.map(c => c.char).join('') }}</template>
+            </template>
+          </template>
+          <template v-else>
+            <span>
+              {{ nistCvss }}
+            </span>
+          </template>
+        </div>
+        <div v-if="shouldDisplayEmailNistForm" class="col-auto align-self-center">
+          <CvssNISTForm
+            :cveId
+            :summary
+            :bugzilla
+            :cvss
+            :nistCvss
+          />
+        </div>
+      </div>
+    </LabelDiv>
+    <div v-if="showAllCvss" class="bg-secondary p-2 ps-1 ms-1 mb-2 rounded">
+      <template
+        v-for="(cvssItem, cvssItemIndex) in otherCvss"
+        :key="cvssItemIndex.uuid"
+      >
+        <LabelDiv
+          :label="issuerLabels[cvssItem.issuer] + ' CVSS' + cvssItem.cvss_version.toLocaleLowerCase()"
+          :class="cvssItemIndex < otherCvss.length -1 ? 'mb-2' : ''"
+        >
+          <div class="d-flex flex-row">
+            <div class="form-control text-break h-auto">
+              <span>
+                {{ cvssItem.score + ' CVSS:' + cvssItem.cvss_version.substring(1) + '/' + cvssItem.vector }}
+              </span>
+            </div>
+          </div>
+        </LabelDiv>
+      </template>
+    </div>
+  </div>
+</template>

src/components/FlawAffects.vue

@@ -20,6 +20,7 @@ import {
   affectResolutions,
   possibleAffectResolutions,
 } from '@/types/zodAffect';
+import { IssuerEnum } from '@/generated-client';
 
 const props = defineProps<{
   affectCvssToDelete: Record<string, string>;
@@ -347,7 +348,7 @@ function addNewAffect() {
     cvss_scores: [{
       // affect: z.string().uuid(),
       cvss_version: 'V3',
-      issuer: 'RH',
+      issuer: IssuerEnum.Rh,
       comment: '',
       score: null,
       vector: '',
@@ -443,7 +444,7 @@ function selectAffects(event: Event) {
 
 // Affects Fields
 function affectCvss(affect: ZodAffectType) {
-  return affect.cvss_scores.find(({ cvss_version, issuer }) => issuer === 'RH' && cvss_version === 'V3');
+  return affect.cvss_scores.find(({ cvss_version, issuer }) => issuer === IssuerEnum.Rh && cvss_version === 'V3');
 }
 
 function affectCvssDisplay(affect: ZodAffectType) {
@@ -470,7 +471,7 @@ function updateAffectCvss(affect: ZodAffectType, newValue: string) {
       affect.cvss_scores[cvssScoreIndex].vector = newValue;
     } else if (newValue !== '') {
       affect.cvss_scores.push({
-        issuer: 'RH',
+        issuer: IssuerEnum.Rh,
         cvss_version: 'V3',
         comment: '',
         score: null,

src/components/FlawContributors.vue

@@ -69,6 +69,7 @@ const remove = (index: number) => {
   <LabelDiv
     label="Contributors"
     tabindex="99"
+    class="mb-2"
     @click.prevent="onFocus"
     @blur.capture="onBlur"
   >

src/components/FlawForm.vue

@@ -11,9 +11,8 @@ import LabelTextarea from '@/components/widgets/LabelTextarea.vue';
 import IssueFieldEmbargo from '@/components/IssueFieldEmbargo.vue';
 import CveRequestForm from '@/components/CveRequestForm.vue';
 import FlawFormOwner from '@/components/FlawFormOwner.vue';
-import CvssNISTForm from '@/components/CvssNISTForm.vue';
+import CvssSection from '@/components/CvssSection.vue';
 import FlawComments from '@/components/FlawComments.vue';
-import LabelDiv from '@/components/widgets/LabelDiv.vue';
 import CvssCalculator from '@/components/CvssCalculator.vue';
 import FlawAlertsList from '@/components/FlawAlertsList.vue';
 import FlawHistory from '@/components/FlawHistory.vue';
@@ -274,31 +273,16 @@ const createdDate = computed(() => {
               v-model:cvss-vector="flawRhCvss3.vector"
               v-model:cvss-score="flawRhCvss3.score"
             />
-            <div>
-              <div class="col">
-                <LabelDiv label="NVD CVSSv3">
-                  <div class="d-flex flex-row">
-                    <div class="form-control text-break h-auto rounded-0">
-                      <template v-for="(chars, index) in highlightedNvdCvss3String" :key="index">
-                        <span v-if="chars[0].isHighlighted" class="text-primary">
-                          {{ chars.map(c => c.char).join('') }}
-                        </span>
-                        <template v-else>{{ chars.map(c => c.char).join('') }}</template>
-                      </template>
-                    </div>
-                    <div v-if="shouldDisplayEmailNistForm" class="col-auto align-self-center">
-                      <CvssNISTForm
-                        :cveid="flaw.cve_id"
-                        :summary="flaw.comment_zero"
-                        :bugzilla="bugzillaLink"
-                        :cvss="rhCvss3String"
-                        :nistcvss="nvdCvss3String"
-                      />
-                    </div>
-                  </div>
-                </LabelDiv>
-              </div>
-            </div>
+            <CvssSection
+              :highlightedNvdCvss3String
+              :shouldDisplayEmailNistForm
+              :cveId="flaw.cve_id"
+              :summary="flaw.comment_zero"
+              :bugzilla="bugzillaLink"
+              :cvss="rhCvss3String"
+              :allCvss="flaw.cvss_scores"
+              :nistCvss="nvdCvss3String"
+            />
             <LabelEditable
               v-model="flaw.cwe_id"
               label="CWE ID"

src/components/FlawFormOwner.vue

@@ -68,7 +68,7 @@ const handleSuggestionClick = (fn: (args?: any) => void, user: ZodJiraUserAssign
 </script>
 
 <template>
-  <LabelDiv label="Owner" :loading="isLoading">
+  <LabelDiv label="Owner" :loading="isLoading" class="mb-2">
     <EditableTextWithSuggestions v-model="owner" class="col-12" @update:query="onQueryChange">
       <template v-if="!isAssignedToMe" #buttons-out-of-editing-mode="{ onBlur }">
         <button

src/components/IssueFieldEmbargo.vue

@@ -48,7 +48,7 @@ watch(() => showModal.value, () => {
 </script>
 
 <template>
-  <LabelDiv label="Embargoed">
+  <LabelDiv label="Embargoed" class="mb-2">
     <template #default>
       <div>
         <div class="d-flex ms-0 p-0 justify-content-between">

src/components/IssueFieldState.vue

@@ -64,7 +64,7 @@ function nextPhase(workflowState: WorkflowPhases) {
 
 <template>
   <div class="osim-workflow-state-container mb-2">
-    <LabelDiv label="State" type="text" class="osim-workflow-state-display">
+    <LabelDiv label="State" type="text" class="osim-workflow-state-display mb-2">
       <div class="d-flex">
         <span class="form-control rounded-0">{{ classification.state || 'Legacy Flaw without Jira task' }}</span>
         <div class="col-auto">

src/components/__tests__/CvssNISTForm.spec.ts

@@ -8,12 +8,12 @@ import CvssNISTForm from '../CvssNISTForm.vue';
 const mountCvssNISTForm = () => mountWithConfig(CvssNISTForm, {
   props: {
     flaw: 'any',
-    cveid: 'string',
+    cveId: 'string',
     summary: 'string',
     bugzilla: 'string',
     nvdpage: 'string',
     cvss: 'string',
-    nistcvss: 'string',
+    nistCvss: 'string',
     cvssjustification: 'string',
   },
 });