feat: upgrade impact score

dervoeti · dervoeti · commit 1be46da13b3d · 2024-12-19T21:28:50.000+01:00
diff --git a/backend/application/core/api/filters.py b/backend/application/core/api/filters.py
@@ -272,6 +272,7 @@ def get_has_completed_assessment(
             ("last_observation_log", "last_observation_log"),
             ("epss_score", "epss_score"),
             ("stackable_score", "stackable_score"),
+            ("upgrade_impact_score", "upgrade_impact_score"),
             ("origin_component_location", "origin_component_location"),
             ("has_potential_duplicates", "has_potential_duplicates"),
             ("patch_available", "patch_available"),
diff --git a/backend/application/core/migrations/0067_observation_upgrade_impact_score.py b/backend/application/core/migrations/0067_observation_upgrade_impact_score.py
@@ -0,0 +1,25 @@
+# Generated by Django 5.1.4 on 2024-12-19 19:31
+
+import django.core.validators
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0066_merge_20241216_1336"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="observation",
+            name="upgrade_impact_score",
+            field=models.IntegerField(
+                null=True,
+                validators=[
+                    django.core.validators.MinValueValidator(0),
+                    django.core.validators.MaxValueValidator(999999),
+                ],
+            ),
+        ),
+    ]
diff --git a/backend/application/core/migrations/0068_observation_core_observ_upgrade_f3aeed_idx.py b/backend/application/core/migrations/0068_observation_core_observ_upgrade_f3aeed_idx.py
@@ -0,0 +1,25 @@
+# Generated by Django 5.1.4 on 2024-12-19 19:42
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("core", "0067_observation_upgrade_impact_score"),
+        (
+            "import_observations",
+            "0010_vulnerability_check_last_import_licenses_deleted_and_more",
+        ),
+        ("rules", "0017_alter_rule_approval_remark"),
+        ("vex", "0007_alter_csaf_tracking_current_release_date_and_more"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="observation",
+            index=models.Index(
+                fields=["upgrade_impact_score"], name="core_observ_upgrade_f3aeed_idx"
+            ),
+        ),
+    ]
diff --git a/backend/application/core/models.py b/backend/application/core/models.py
@@ -678,6 +678,9 @@ class Observation(Model):
         on_delete=SET_NULL,
     )
     risk_acceptance_expiry_date = DateField(null=True)
+    upgrade_impact_score = IntegerField(
+        null=True, validators=[MinValueValidator(0), MaxValueValidator(999999)]
+    )
 
     class Meta:
         indexes = [
@@ -701,6 +704,7 @@ class Meta:
             Index(fields=["patch_available"]),
             Index(fields=["in_vulncheck_kev"]),
             Index(fields=["exploit_available"]),
+            Index(fields=["upgrade_impact_score"]),
         ]
 
     def __str__(self):
diff --git a/backend/application/import_observations/parsers/cyclone_dx/parser.py b/backend/application/import_observations/parsers/cyclone_dx/parser.py
@@ -321,6 +321,35 @@ def _create_observations(  # pylint: disable=too-many-locals
                             component, recommendation
                         )
 
+                        upgrade_impact_score = 0
+                        if patched_versions:
+
+                            def parse_version(version: str):
+                                version = version.split("-")[0]
+                                # Remove everything that is not a number or a dot
+                                version = "".join(
+                                    [c for c in version if c.isdigit() or c == "."]
+                                )
+                                rettuple = tuple(map(int, version.split(".")[:3]))
+                                for _ in range(3 - len(rettuple)):
+                                    rettuple += (0,)
+                                return rettuple
+
+                            v1 = parse_version(component.version)
+                            lowest_impact_score = 9999999
+                            patched_versions_split = patched_versions.split(",")
+                            for patched_version in patched_versions_split:
+                                v2 = parse_version(patched_version)
+                                major_diff = abs(v2[0] - v1[0])
+                                minor_diff = abs(v2[1] - v1[1])
+                                patch_diff = abs(v2[2] - v1[2])
+                                upgrade_impact_score = (
+                                    major_diff * 100 + minor_diff * 10 + patch_diff
+                                )
+                                if upgrade_impact_score < lowest_impact_score:
+                                    lowest_impact_score = upgrade_impact_score
+                            upgrade_impact_score = lowest_impact_score
+
                         observation = Observation(
                             title=title,
                             description=description,
@@ -342,6 +371,7 @@ def _create_observations(  # pylint: disable=too-many-locals
                             origin_source_file=self.metadata.file,
                             origin_component_location=component_location,
                             patched_in_versions=patched_versions,
+                            upgrade_impact_score=upgrade_impact_score,
                             patch_available=bool(patched_versions),
                         )
 
@@ -484,12 +514,15 @@ def _get_component_location(self, component_json: dict[str, str]) -> str:
     def _get_patched_versions(self, component: Component, recommendation: str) -> str:
         if not recommendation:
             return ""
+        component_name = re.sub(r":\d+", "", component.name)
 
         group = re.search(
-            r"Upgrade (\S+:)?" + component.name + r" to version ([a-z0-9\.\-_\s,]+)",
+            r"Upgrade (\S+:)?"
+            + component_name
+            + r" to version (\d+:)?([a-z0-9\.\-_\s,]+)",
             recommendation,
         )
         if group:
-            return group.group(2)
+            return group.group(3)
 
         return ""
diff --git a/frontend/src/core/observations/ObservationList.tsx b/frontend/src/core/observations/ObservationList.tsx
@@ -140,6 +140,7 @@ const ObservationList = () => {
                         <ChipField source="current_status" label="Status" />
                         <NumberField source="epss_score" label="EPSS" />
                         <NumberField source="stackable_score" label="Stackable Score" />
+                        <NumberField source="upgrade_impact_score" label="Upgrade Impact Score" />
                         {/* <TextField source="origin_service_name" label="Service" /> */}
                         <TextField
                             source="origin_component_name_version"
diff --git a/frontend/src/core/types.ts b/frontend/src/core/types.ts
@@ -104,6 +104,7 @@ export interface Observation extends RaRecord {
     epss_score: number;
     epss_percentile: number;
     stackable_score: number;
+    upgrade_impact_score: number;
     cwe: number;
     found: Date;
     scanner: string;
