[roadmap] Add supplier product security deepening#42
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1285a495fd
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| .execute(pool) | ||
| .await?; | ||
| for evidence_id in evidence_ids { | ||
| insert_evidence_link_sqlite(pool, tenant_id, record_id, actor_id, *evidence_id, "review") |
There was a problem hiding this comment.
Preserve evidence link types during record edits
When a record already has evidence linked with a non-default link_type via the /evidence endpoint, any later PATCH to unrelated fields deletes all links and reinserts them as "review", so contract/exit/review evidence classifications are silently lost in the detail view and audit metadata. This should preserve existing link types for unchanged evidence IDs instead of resetting them on every record update.
Useful? React with 👍 / 👎.
| <label>Advisory-Quelle<select name="advisory_source_type"><option value="manual">Manuell</option><option value="psirt">PSIRT</option><option value="vendor">Hersteller</option><option value="customer">Kunde</option><option value="internal">Intern</option><option value="import_preparation">Import-Vorbereitung</option></select></label> | ||
| <label>CVSS<input name="cvss_score" inputmode="decimal"></label> | ||
| <label>EPSS<input name="epss_score" inputmode="decimal"></label> | ||
| <label>Exploitation<select name="exploitation_status"><option value="unknown">Unbekannt</option><option value="not_observed">Nicht beobachtet</option><option value="proof_of_concept">Proof of Concept</option><option value="active">Aktiv</option><option value="exploited">Ausgenutzt</option></select></label> |
There was a problem hiding this comment.
Use accepted enum values in the web form
Selecting the visible Nicht beobachtet option submits exploitation_status=not_observed, but the store normalizer accepts not_known rather than not_observed, so the create/edit flow fails with an invalid-payload error for a value offered by the UI. Align the form values with the backend enum values; the same kind of mismatch should be checked for the nearby select fields added in this panel.
Useful? React with 👍 / 👎.
Problemstellung und Ziel
Supplier Reviews und Product Security waren bisher getrennte Sichten. Dieser PR verbindet Lieferanten, Produkte/Services, lokale Advisory-/PSIRT-/CVE-Metadaten, Evidence, Vertrags-/Exit-Plan-Reife und Regulatory Review Packs in einem tenantgebundenen Governance-Modell.
Wichtig: Der PR baut keine externe Feed-Integration. Es gibt keine Live-Abfragen gegen NVD, GitHub Advisories, Herstellerportale oder andere externe Quellen.
Geänderte Funktionen
0034_rust_supplier_product_security_governance/suppliers/product-security/mit Filtern, Kennzahlen, Create/Edit/Status/Evidence-Flows und DetailansichtBetroffene Dateien
rust/iscy-backend/src/db_admin.rsrust/iscy-backend/src/supplier_product_security_store.rsrust/iscy-backend/src/lib.rsrust/iscy-backend/src/main.rsrust/iscy-backend/src/report_store.rsrust/iscy-backend/tests/http_tests.rsCHANGELOG.mddocs/ISCY_STRATEGIC_ROADMAP.mddocs/ISCY_Handbuch.mddocs/ISCY_Handbuch.pdfdocs/GUI_SCREENSHOTS.mddocs/assets/iscy-supplier-product-security.pngDatenbankmigrationen
0034_rust_supplier_product_security_governancesupplier_product_security_record,supplier_product_security_evidence_link,supplier_product_security_event,supplier_contract_exit_historyNeue oder geänderte API-Endpunkte
GET /api/v1/suppliers/product-securityPOST /api/v1/suppliers/product-securityGET /api/v1/suppliers/product-security/{record_id}PATCH /api/v1/suppliers/product-security/{record_id}POST /api/v1/suppliers/product-security/{record_id}/statusPOST /api/v1/suppliers/product-security/{record_id}/evidenceGET /api/v1/suppliers/product-security/{record_id}/eventsGET /api/v1/suppliers/{supplier_id}/product-securityGET /api/v1/suppliers/{supplier_id}/contract-exit-historyGUI-Änderungen
Supplier/Product Security/suppliers/product-security/Tenant- und Berechtigungsgrenzen
Security-Entscheidungen
Ausgeführte Tests
nix develop --command cargo fmt --manifest-path rust/iscy-backend/Cargo.toml -- --checknix develop --command cargo clippy --locked --manifest-path rust/iscy-backend/Cargo.toml --all-targets -- -D warningsnix develop --command cargo test --locked --manifest-path rust/iscy-backend/Cargo.tomlnix shell nixpkgs#cargo-audit nixpkgs#cargo --command cargo audit --file rust/iscy-backend/Cargo.lock --ignore RUSTSEC-2023-0071nix shell nixpkgs#cargo-deny nixpkgs#cargo --command cargo deny --manifest-path rust/iscy-backend/Cargo.toml check advisories licenses sourcesnix develop --command make rust-smokenix develop --command make rust-restore-smokenix flake checkenv DATABASE_URL=sqlite:/tmp/iscy-nix-app-smoke-0034.sqlite nix run .#iscy-backend -- init-demo.env.examplefuer base, stage, prod und prod+LLMnix develop --command make docs-pdfgit diff --checkBekannte Einschränkungen
/var/run/docker.sockverfuegbar ist; GitHub CI soll den hardened Docker-Build ausfuehrenBewusst nicht umgesetzt