GET /api/v2/sbom/{id}/advisory should include Vulnerability "title"

[carlosthe19916]

When I hit GET /api/v2/sbom/{id}/advisory I get a response similar to the JSON Below.

The field status.title should be the Vulnerability's title and not the Advisory's title.

Reasoning:

• The field title at the parent object already represents the Advisory's title so there is no need to make title==status.title
• In the UI, due to https://issues.redhat.com/browse/TC-2353, I discovered that just like in the example below there might be multiple advisories. The problem is when I need to render the description of Vulnerability then I have 2 completely different "titles" for the same Vulnerability
  • See that in my JSON below. [0].status.title != [1].status.title

[
  {
    "uuid": "urn:uuid:beb78036-452a-49b9-8ad7-61b5ebbafa94",
    "identifier": "https://www.redhat.com/#CVE-2023-4853",
    "document_id": "CVE-2023-4853",
    "issuer": {
      "id": "4729edd1-030b-45ed-94da-71eb9dcaa037",
      "name": "Red Hat Product Security",
      "cpe_key": null,
      "website": null
    },
    "published": "2023-09-08T00:00:00Z",
    "modified": "2023-11-10T12:57:35Z",
    "withdrawn": null,
    "title": "quarkus: HTTP security policy bypass", // Advisory title
    "labels": {
      "type": "csaf"
    },
    "status": [
      {
        "normative": false,
        "identifier": "CVE-2023-4853",
        "title": "quarkus: HTTP security policy bypass", // This is also advisory title, but it should be Vulnerability's title
        "description": null,
        "reserved": null,
        "published": "2023-09-20T09:47:32.15Z",
        "modified": "2024-11-23T01:02:43.871Z",
        "withdrawn": null,
        "discovered": "2023-09-08T00:00:00Z",
        "released": "2023-09-08T00:00:00Z",
        "cwes": [
          "CWE-148"
        ],
        "average_severity": "high",
        "status": "affected",
        "context": {
          "cpe": "cpe:/a:redhat:quarkus:2.13:*:el8:*"
        },
        "packages": []
      }
    ]
  },
  {
    "uuid": "urn:uuid:75507b71-8bc0-47b6-b8c2-38e2660f9677",
    "identifier": "GHSA-4f4r-wgv2-jjvg",
    "document_id": "GHSA-4f4r-wgv2-jjvg",
    "issuer": null,
    "published": "2023-09-20T12:30:22Z",
    "modified": "2023-10-27T19:00:20Z",
    "withdrawn": null,
    "title": "Quarkus HTTP vulnerable to incorrect evaluation of permissions", // Advisory title
    "labels": {
      "file": "github-reviewed/2023/09/GHSA-4f4r-wgv2-jjvg/GHSA-4f4r-wgv2-jjvg.json",
      "type": "osv",
      "importer": "osv-github",
      "source": "https://github.com/github/advisory-database"
    },
    "status": [
      {
        "normative": false,
        "identifier": "CVE-2023-4853",
        "title": "Quarkus HTTP vulnerable to incorrect evaluation of permissions", // This is also advisory title, but it should be Vulnerability's title
        "description": "A flaw was found in Quarkus where HTTP security policies are not sanitizing certain character permutations correctly when accepting requests, resulting in incorrect evaluation of permissions. This issue could allow an attacker to bypass the security policy altogether, resulting in unauthorized endpoint access and possibly a denial of service.",
        "reserved": null,
        "published": "2023-09-20T09:47:32.15Z",
        "modified": "2024-11-23T01:02:43.871Z",
        "withdrawn": null,
        "discovered": null,
        "released": null,
        "cwes": [],
        "average_severity": "high",
        "status": "affected",
        "context": null,
        "packages": []
      }
    ]
  }
]

[ctron]

The field status.title should be the Vulnerability's title and not the Advisory's title.

I assume that, in the case of OSV, it would be the same title, as the OSV document only carries one vulnerability per document. The .status section is the advisories vulnerabilities.

What values would you expect?

[carlosthe19916]

I would expect the field status.title field to be populated with the Vulnerability's title/description. E.g. In the image below we see a list of vulnerabilities which their title/description in the table.

Let me take a step back. Perhaps I should not request to change the current status.title but to be able to get the "Vulnerability"'s description title somewhere in that response.

The main point for the UI's use case is that I need to render the Vulnerability's description/title. The same description/title I would get if I hit GET /api/v2/vulnerability/{id}.

[PhilipCattanach]

@ctron - Could you take another look at this please? It seems having the vulnerability title somewhere in the response is a reasonable ask.

[ctron]

So the current endpoint is designed to return the vulnerability in the context of the advisory. As the advisory defines it. That what it does.

What you seem to ask for, is to get the title of the vulnerability from the CVE project database. Which we also have, but as you say, from a different endpoint.

Currently, you can get them from the endpoint that you mentioned (/api/v2/vulnerability/{id}). We could create an endpoint which allows doing resolving this with a batch query.

What I would not like to do, is to have that currently working endpoint return different data than it's supposed to.

An alternative could be, to design a proper API endpoint, which supports the UI use case. Which I think we need anyway, as, to my understanding, the UI currently does a lot of post processing on the data.

So summing it up:

• Either have the UI use the current vulnerability endpoint (one by one)
• Or, we create a batch version of that for the UI
• Or, we design and implement an API that makes proper sense for the UI

[carlosthe19916]

Doing some clean up. Closing this issue as I believe we addressed it already.