Replace custom CVSS validation with cvss_suite gem
What does this MR do and why?
Describe in detail what your merge request does and why.
The first iteration of CVSS validation (!97327 (merged)) was a custom implementation. However, there exists a gem which does everything we want to do and should involve lower maintenance overhead. This change switches to the gem and removes the custom implementation.
While CVSS v2 validation is being added, this does not need a changelog entry as the validation is not user facing. These records will be created by a background process as part of #363545 (closed).
About the gem
- Repo: https://github.com/0llirocks/cvss-suite
- RubyGems: https://rubygems.org/gems/cvss-suite
- License: MIT
✅ - Ruby 3 compat: 3.0 and 3.1
✅ - Uses C extensions: No
✅
How to set up and validate locally
Numbered steps to set up and validate the change are strongly suggested.
- Start the rails console and run this code:
FactoryBot.definition_file_paths = [
Rails.root.join('ee', 'spec', 'factories')
]
FactoryBot.find_definitions
advisory = FactoryBot.build(:vulnerability_advisory)
advisory.valid?
advisory.cvss_v3 = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:INVALID"
advisory.valid?MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.
Edited by Brian Williams