Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add --cvss-fail-threshold #123

Merged
merged 3 commits into from
Sep 9, 2024
Merged

Add --cvss-fail-threshold #123

merged 3 commits into from
Sep 9, 2024

Conversation

lread
Copy link
Contributor

@lread lread commented Sep 1, 2024

See README for general description.

New option is mutually exclusive to --fail-on-result; if both are specified, clj-watson fails fast with usage error and help.

Conservatively derives score when missing or suspicious looking:

  • When severity is available, conservatively converts to score
  • Since we don't know if if score is CVSS2 or CVSS3/4 derives, High and Critical to 10.0, Medium and Low are converted to upper bound of their ranges.
  • The experimental github-advisory strategy seems to regularly populate score with 0.0 but with a valid looking severity; we treat a score of 0.0 as suspicious.
  • I've not seen cases of invalid severities in the wild, but we handle them just the same, when we can't make sense of things we derive to the most critical score which is 10.0.

Also:

  • factored out table support from cli-spec ns to new table ns to reuse it for summary table.
  • renamed summarize fn to final-summary to better distinguish from our new summary fn
  • a new utils ns for assoc-some fn (cribbed clj-kondo which cribbed from medley).

Closes #114

@lread
Add --cvss-fail-threshold
3473e61 
See README for general description.

New option is mutually exclusive to `--fail-on-result`; if both are
specified, clj-watson fails fast with usage error and help.

Conservatively derives score when missing or suspicious looking:
- When severity is available, conservatively converts to score
- Since we don't know if if score is CVSS2 or CVSS3/4 derives, High and
Critical to 10.0, Medium and Low are converted to upper bound of their
ranges.
- The experimental github-advisory strategy seems to regularly populate score
with `0.0` but with a valid looking severity; we treat a score of 0.0 as
suspicious.
- I've not seen cases of invalid severities in the wild, but we handle
them just the same, when we can't make sense of things we derive to the
most critical score which is 10.0.

Also:
- factored out table support from cli-spec ns to new table ns to reuse it
for summary table.
- renamed summarize fn to final-summary to better distinguish from our new
summary fn
- a new utils ns for `assoc-some` fn (cribbed clj-kondo which cribbed from medley).

Closes clj-holmes#114
@lread
Copy link
Contributor Author

lread commented Sep 1, 2024

Thanks for taking a peek @coyotesqrl.
I think this matches what we discussed.
If you have any other feedback, happy to hear it!

@lread
Copy link
Contributor Author

lread commented Sep 9, 2024

@seancorfield when you have some time and some interest, this PR awaits your review.

@seancorfield
Copy link
Contributor

Sorry, last week got completely derailed which was when I said I would review this...

@seancorfield seancorfield merged commit 7e2259b into clj-holmes:main Sep 9, 2024
5 checks passed
@lread
Copy link
Contributor Author

lread commented Sep 9, 2024

Thanks! And no problem @seancorfield, I understand that folks get busy and distracted!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@coyotesqrl coyotesqrl coyotesqrl left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Change from fail-on-result to fail-on-cvss
3 participants
@lread @seancorfield @coyotesqrl