From 921898c425e8b52275718a4b01dfab2ea8353ea3 Mon Sep 17 00:00:00 2001
From: Tushar Goel <tushar.goel.dav@gmail.com>
Date: Fri, 17 Jan 2025 17:32:38 +0530
Subject: [PATCH] Address review comments

Signed-off-by: Tushar Goel <tushar.goel.dav@gmail.com>
---
 .../templates/vulnerability_details.html      | 103 ++++++++++++++++++
 .../vulnerability_package_details.html        |  22 +---
 vulnerabilities/views.py                      |  23 +++-
 3 files changed, 129 insertions(+), 19 deletions(-)

diff --git a/vulnerabilities/templates/vulnerability_details.html b/vulnerabilities/templates/vulnerability_details.html
index 4005c663c..e1ca6e4fd 100644
--- a/vulnerabilities/templates/vulnerability_details.html
+++ b/vulnerabilities/templates/vulnerability_details.html
@@ -47,6 +47,13 @@
                         </span>
                     </a>
                 </li>
+                <li data-tab="severities-vectors">
+                    <a>
+                        <span>
+                            Severity details ({{ severity_vectors|length }})
+                        </span>
+                    </a>
+                </li>
 
                 {% if vulnerability.exploits %}
                     <li data-tab="exploits">
@@ -398,6 +405,102 @@
                     </tr>
                 {% endfor %}
             </div>
+        
+            <div class="tab-div content" data-content="severities-vectors">
+                {% for severity_vector in severity_vectors %}
+                    {% if severity_vector.version == '2.0'  %}
+                        Vector: {{ severity_vector.vectorString }}
+                        <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
+                          <tr>
+                            <th>Exploitability (E)</th>
+                            <th>Access Vector (AV)</th>
+                            <th>Access Complexity (AC)</th>
+                            <th>Authentication (Au)</th>
+                            <th>Confidentiality Impact (C)</th>
+                            <th>Integrity Impact (I)</th>
+                            <th>Availability Impact (A)</th>
+                          </tr>
+                          <tr>
+                            <td>{{ severity_vector.exploitability|cvss_printer:"high,functional,unproven,proof_of_concept,not_defined" }}</td>
+                            <td>{{ severity_vector.accessVector|cvss_printer:"local,adjacent_network,network" }}</td>
+                            <td>{{ severity_vector.accessComplexity|cvss_printer:"high,medium,low" }}</td>
+                            <td>{{ severity_vector.authentication|cvss_printer:"multiple,single,none" }}</td>
+                            <td>{{ severity_vector.confidentialityImpact|cvss_printer:"none,partial,complete" }}</td>
+                            <td>{{ severity_vector.integrityImpact|cvss_printer:"none,partial,complete" }}</td>
+                            <td>{{ severity_vector.availabilityImpact|cvss_printer:"none,partial,complete" }}</td>
+                          </tr>
+                        </table>
+                    {% elif severity_vector.version == '3.1' or severity_vector.version == '3.0'%}
+                        Vector: {{ severity_vector.vectorString }}
+                        <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
+                              <tr>
+                                <th>Attack Vector (AV)</th>
+                                <th>Attack Complexity (AC)</th>
+                                <th>Privileges Required (PR)</th>
+                                <th>User Interaction (UI)</th>
+                                <th>Scope (S)</th>
+                                <th>Confidentiality Impact (C)</th>
+                                <th>Integrity Impact (I)</th>
+                                <th>Availability Impact (A)</th>
+                              </tr>
+                              <tr>
+                                <td>{{ severity_vector.attackVector|cvss_printer:"network,adjacent_network,local,physical"}}</td>
+                                <td>{{ severity_vector.attackComplexity|cvss_printer:"low,high" }}</td>
+                                <td>{{ severity_vector.privilegesRequired|cvss_printer:"none,low,high" }}</td>
+                                <td>{{ severity_vector.userInteraction|cvss_printer:"none,required"}}</td>
+                                <td>{{ severity_vector.scope|cvss_printer:"unchanged,changed" }}</td>
+                                <td>{{ severity_vector.confidentialityImpact|cvss_printer:"high,low,none" }}</td>
+                                <td>{{ severity_vector.integrityImpact|cvss_printer:"high,low,none" }}</td>
+                                <td>{{ severity_vector.availabilityImpact|cvss_printer:"high,low,none" }}</td>
+                              </tr>
+                            </table>
+                    {% elif severity_vector.version == '4' %}
+                        Vector: {{ severity_vector.vectorString }}
+                        <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth gray-header-border">
+                              <tr>
+                                <th>Attack Vector (AV)</th>
+                                <th>Attack Complexity (AC)</th>
+                                <th>Attack Requirements (AT)</th>
+                                <th>Privileges Required (PR)</th>
+                                <th>User Interaction (UI)</th>
+
+                                <th>Vulnerable System Impact Confidentiality (VC)</th>
+                                <th>Vulnerable System Impact Integrity (VI)</th>
+                                <th>Vulnerable System Impact Availability (VA)</th>
+
+                                <th>Subsequent System Impact Confidentiality (SC)</th>
+                                <th>Subsequent System Impact Integrity (SI)</th>
+                                <th>Subsequent System Impact Availability (SA)</th>
+                              </tr>
+                              <tr>
+                                <td>{{ severity_vector.attackVector|cvss_printer:"network,adjacent,local,physical"}}</td>
+                                <td>{{ severity_vector.attackComplexity|cvss_printer:"low,high" }}</td>
+                                <td>{{ severity_vector.attackRequirement|cvss_printer:"none,present" }}</td>
+                                <td>{{ severity_vector.privilegesRequired|cvss_printer:"none,low,high" }}</td>
+                                <td>{{ severity_vector.userInteraction|cvss_printer:"none,passive,active"}}</td>
+
+                                <td>{{ severity_vector.vulnerableSystemImpactConfidentiality|cvss_printer:"high,low,none" }}</td>
+                                <td>{{ severity_vector.vulnerableSystemImpactIntegrity|cvss_printer:"high,low,none" }}</td>
+                                <td>{{ severity_vector.vulnerableSystemImpactAvailability|cvss_printer:"high,low,none" }}</td>
+
+                                <td>{{ severity_vector.subsequentSystemImpactConfidentiality|cvss_printer:"high,low,none" }}</td>
+                                <td>{{ severity_vector.subsequentSystemImpactIntegrity|cvss_printer:"high,low,none" }}</td>
+                                <td>{{ severity_vector.subsequentSystemImpactAvailability|cvss_printer:"high,low,none" }}</td>
+                              </tr>
+                            </table>
+                    {% elif severity_vector.version == 'ssvc' %}
+                        <hr/>
+                        Vector: {{ severity_vector.vectorString }}
+                        <hr/>
+                    {% endif %}
+                    {% empty %}
+                        <tr>
+                            <td>
+                                There are no known vectors.
+                            </td>
+                        </tr>
+                    {% endfor %}
+            </div>
 
         
         <div class="tab-div content" data-content="epss">
diff --git a/vulnerabilities/templates/vulnerability_package_details.html b/vulnerabilities/templates/vulnerability_package_details.html
index 1eb3cc4ce..21fb52192 100644
--- a/vulnerabilities/templates/vulnerability_package_details.html
+++ b/vulnerabilities/templates/vulnerability_package_details.html
@@ -6,7 +6,7 @@
 {% load url_filters %}
 
 {% block title %}
-VulnerableCode Vulnerability Details - {{ vulnerability.vulnerability_id }}
+VulnerableCode Vulnerability Package Details - {{ vulnerability.vulnerability_id }}
 {% endblock %}
 
 {% block content %}
@@ -16,27 +16,14 @@
     <div class="details-container">
         <article class="panel is-info panel-header-only">
             <div class="panel-heading py-2 is-size-6">
-                Vulnerability details:
+                Vulnerable and Fixing Package details for Vulnerability:
                 <span class="tag is-white custom">
                     {{ vulnerability.vulnerability_id }}
                 </span>
             </div>
         </article>
-
-        <div class="tabs is-boxed" id="tabs">
-            <ul>
-                <li data-tab="affected-fixed-by">
-                    <a>
-                        <span>
-                            Affected/Fixed by packages ({{ affected_packages|length }}/{{ fixed_by_packages|length }})
-                        </span>
-                    </a>
-                </li>
-            </ul>
-        </div>
-        <div id="tab-content">
-            <div class="tab-div is-active" data-content="affected-fixed-by">
-                <table class="table is-bordered is-striped is-narrow is-hoverable is-fullwidth">
+            <div id="tab-content">
+                <table class="table vcio-table width-100-pct mt-2">
                     <thead>
                         <tr>
                             <th style="width: 50%;">Affected</th>
@@ -76,7 +63,6 @@
                     </tbody>
                 </table>
             </div>
-        </div>
     </div>
 </section>
 {% endif %}
diff --git a/vulnerabilities/views.py b/vulnerabilities/views.py
index 8d29d140f..5cea2e689 100644
--- a/vulnerabilities/views.py
+++ b/vulnerabilities/views.py
@@ -182,12 +182,33 @@ def get_context_data(self, **kwargs):
             if weakness_object.weakness
         ]
 
+        severity_vectors = []
+        severity_values = set()
+        for s in self.object.severities.all():
+            if s.scoring_system == EPSS.identifier:
+                continue
+
+            if s.scoring_elements and s.scoring_system in SCORING_SYSTEMS:
+                try:
+                    vector_values = SCORING_SYSTEMS[s.scoring_system].get(s.scoring_elements)
+                    severity_vectors.append(vector_values)
+                except (
+                    CVSS2MalformedError,
+                    CVSS3MalformedError,
+                    CVSS4MalformedError,
+                    NotImplementedError,
+                ):
+                    logging.error(f"CVSSMalformedError for {s.scoring_elements}")
+
+            if s.value:
+                severity_values.add(s.value)
+
         context.update(
             {
                 "vulnerability": vulnerability,
                 "vulnerability_search_form": VulnerabilitySearchForm(self.request.GET),
                 "severities": list(vulnerability.severities.all()),
-                "severity_score_range": "",
+                "severity_vectors": severity_vectors,
                 "references": list(vulnerability.references.all()),
                 "aliases": list(vulnerability.aliases.all()),
                 "weaknesses": weaknesses_present_in_db,