Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add Auditing and Analysis Capabilities ("does not apply" field to (product, vulnerability) pair)

See original GitHub issue

A vulnerability in the component is not always applicable for every product using that component. For example, a vulnerability in OpenSSL TLS server code is not of interest for a product which does not run a TLS server (or has no networking at all), but uses OpenSSL.

For each vulnerability of a particular product, it would be useful to have an attribute does not apply, which can be taken into account (or not) when showing totals. Each does not apply could be accompanied with a user-supplied text field explaining why it is such.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Comments:7 (6 by maintainers)

github_iconTop GitHub Comments

stevespringettcommented, Apr 26, 2018

This ticket is complete.

Analysis decisions can be made on a per-project basis. This requires the VIEW_PORTFOLIO and VULNERABILITY_ANALYSIS permissions. If the user has these permissions while viewing a project, an ‘Audit’ tab will appear allowing for the analysis of findings.

Analysis decisions can also be made globally at the component level. This requires the PORTFOLIO_MANAGEMENT and VULNERABILITY_ANALYSIS permissions. If the user has these permissions while viewing a component, an optional button will be displayed allowing the user to enter audit mode while viewing the vulnerabilities for the component.

In both cases, metrics and vulnerabilities affecting components and projects take into consideration suppressed vulnerabilities. Vulnerabilities that are suppressed are not included in metrics and are hidden from view from users without the ability to make analysis decisions.

Also in both cases, comments and analysis decisions can be made, and the vulnerability can optionally be suppressed. Each action (analysis decision, suppression) creates a new comment in the audit trail providing a full history of the issue along with timestamps of when the action occurred.

stevespringettcommented, Mar 25, 2018

I’ve made some minor modifications to the model for this ticket.

I’ve validated the model is sound and have a working REST resource that adds analysis decisions/comments along with retrieving the analysis trail. This will be checked in next week after the launch of v3. The only remaining items for this ticket are related to the UI. A metaphor for how the auditing workflow takes place in the UI still needs to be designed and implemented. I’m targeting this work for v3.1.0.

Also note, a new permission is being introduced in 3.1.0 called “VULNERABILITY_ANALYSIS”. Users that need to be able to audit must have this permission assigned to their user account or through team membership.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Vulnerability Pair - an overview | ScienceDirect Topics
A threat-vulnerability pair is a matrix that matches all the threats in our listing with the current or hypothetical vulnerabilities that could be...
Read more >
Building audit processes - IBM
Building audit processes. Streamline the compliance workflow process by consolidating, in one spot, the following database activity monitoring tasks: asset ...
Read more >
View Vulnerability Response vulnerable item detection data
Detection data are paired with vulnerable items and VI state is updated based on the state of the detections. If a VI is...
Read more >
Microsoft Dataverse and model-driven apps activity logging
This topic covers how you can set customer engagement apps to audit a broad range of data processing activities and use the Microsoft...
Read more >
Vulnerabilities findings | Security Command Center
The mappings are not provided for use as the basis of, or as a substitute for, the audit, certification, or report of compliance...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found