doc: adr for handling vulnerability scores and severities #1604
Conversation
dejanb
force-pushed
the
vulnerability_scores
branch
3 times, most recently
from
37ac972 to
2f48893
Compare
|
I absolutely like the detail of this ADR. The context and history! Awesome! I am wondering why the data model doesn't have a "type" field (v2, v3, v4?) Did I overlook it? Isn't it necessary? |
We definitely need it. I added it (version) in the CVSSVector object just to make it clear. Note that this is not the exact data model proposal, but just proposed pseudo-API changes. |
dejanb
force-pushed
the
vulnerability_scores
branch
from
120366b to
a2cb014
Compare
|
@dejanb - what's not clear to me is what is going to change? I think the Vulnerability score is straight forward as it is a 1:1 The Advisory can have a 1:M to Vulnerability so are we still intending on presenting the Aggregate score on the Advisory List and Detail Screen? Or should each Advisory List row be expandable to show the individual CVEs and their scores from that Advisory (essentially what the Advisory Vulnerability list scree does currently)? A couple of concrete examples for the AS IS and the TO BE illustrating what the changes will provide would be super helpful. |
|
@PhilipCattanach I was thinking to keep the ADR focused on describing how things will be in the future, as this transition is just a temporary. I created a project to detail of the work we are doing to make it work As for the concrete topics. Vulnerabilities will only get scores from CVE files. Note also, that this is nothing to with UI, just how we store and return data using API. UI is another discussion completely. |
This PR contains ADR for handling vulnerability scores and severities. It covers current state of things in specs that we are using and proposing API changes to properly reflect data that users are interested in.