CVSS calculator updates

[milankowww]

This issue has been created from an internal development ticket. It tracks the change request for the CVSS calculator.

Requirements

• the calculator must be able to process various versions of CVSS
• the calculator must allow entering "just the value"
• the numeric value, whether calculated or hand-inserted, must be available in the product template

Common changes

• COMMON-1: The CVSS editor field internally stores a JSON instead of just a vector

{
  'version': string not null default 'v3.1',
  'score': float not null default 0,
  'vector': string or null,
  'scores_from_vector': {} or {
    'base': float or null,
    'temporal': float or null,
    'environmental': float or null
  } or {
    'base': float or null,
    'supplemental': float or null,
    'environmental_modified': float or null,
    'environmental_security_requirements': float or null,
    'threat': float or null,
  }
}

The keys available in the scores_from_vector field depend on the version of CVSS and may change in the future. The editor does not show the 'calculator' of unknown CVSS versions.

• COMMON-2: Add a database migration that

  • converts existing vectors to the above mentioned JSON.
  • if a valid vector was present, performs a one-time backend calculation of the base score for CVSS v3.0 and v3.1 (all subsequent calculations will be exclusively done in a front end editor)
  • the old data only contains vectors and they are mostly CVSS version 3.x so that's easy

GUI changes

• GUI-1: Update the front-end calculator

  • in the data received from the database, expect the JSON instead of just a string
  • understand that vector may be empty (but score is always present)
  • in the GUI it is still displayed just as a single text field.
  • The default visible field content is as follows:
    • (3.0) CVSS:3.1/AV:N/..... if both are fields are present
    • 3.0 if only score is present

• GUI-2: editing the field directly

  • the field accepts pasting/writing the vector, and upon entering automatically performs the calculation of the scores_from_vector which automatically reverts the value to (3.0) CVSS:3.1/AV:N/...... It also updates the version field and vector field.
  • the field accepts entering a numerical value; upon entering updates the top-level score field but not the calculated fields
  • clearing the field during the edit process does not delete the values

• GUI-3: Using the calculator

  • the calculator displays a polite message if it doesn't know the CVSS version, otherwise it allows editing of the values
  • only when the user actively uses the calculator by clicking on some button to change its value, or when a new vector is pasted into the appropriate calculator input field:
    • set the top-level score field to the calculated base score and the scores_from_vector to appropriate values
    • set values to NULL if something cannot be calculated; the top-level score field is set to zero instead of NULL

BACKEND and PRESENTER changes

• BACKEND-1: special support for the fields of CVSS type so that they are JSON-decoded and merged into the existing JSON. Instead of {{ variable_name }} it should be available as {{ variable_name.vector }}, {{ variable_name.score }} and so on.

• BACKEND-2: update the existing jinja2 templates

[multiflexi]

maybe some stuff from CVSS v4.0 calculator could be used

[multiflexi]

Or CVSS could be used. It is written in Python and there is PR RedHatProductSecurity/cvss#45 adding support for V4. This could be useful if the CVSS calculation would move from GUI to backend.