Create risk score calculation service
What does this MR do and why?
This MR introduces the new
Vulnerabilities::Findings::RiskScoreCalculationService.
This service takes in one or more vulnerability ids
and updates risk scores for the corresponding
vulnerability_occurrences records. This is done
through an upsert_all operation so records are
either created or updated. This service is called
in places where severity changes or a vulnerability
transitions to an active state.
Risk score formula - https://gitlab.com/gitlab-org/secure/vulnerability-research/pocs/totalriskscore/-/merge_requests/1/diffs
References
Relates to - #569693 (closed)
Screenshots or screen recordings
| Before | After |
|---|---|
How to set up and validate locally
Updation Cases -
- Go to vulnerabilities dashboard
- Select one or more vulnerabilities and change severity.
- Go to rails console and find the
Vulnerabilities::FindingRiskScorerecords as described below and verify the risk scores based on the formula.
v = Vulnerability.find(id)
Vulnerabilities::FindingRiskScore.find(v.finding_id)- Do the same for state updates. Note - Only on transition to
detectedandconfirmedstate we calculate the scores, since we only care about active vulnerabilities.
MR acceptance checklist
Evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Edited by Rushik Subba