Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1691033 - [RFE] Vulnerability App: include CVE details like RHSA, Package, score caclulation without requiring to leave the portal
Summary: [RFE] Vulnerability App: include CVE details like RHSA, Package, score caclul...
Keywords:
Status: NEW
Alias: None
Product: Red Hat Insights
Classification: Red Hat
Component: Pilot
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Mohit Goyal
QA Contact: Rob Williams
Kevin Blake
URL:
Whiteboard:
Depends On:
Blocks: 1122832
TreeView+ depends on / blocked
 
Reported: 2019-03-20 16:54 UTC by Peter Vreman
Modified: 2019-03-29 16:06 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:


Attachments (Terms of Use)

Description Peter Vreman 2019-03-20 16:54:43 UTC
Description of problem:
Include in the CVE table the RHSA errata of it. The RHSA numbers is what i am used to and is also used in the errata notifications send by the portal and what is shown in the Sastellite contentviews under errata


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 Dave Johnson 2019-03-20 17:15:09 UTC
Please assess the impact of this issue and update the severity accordingly.  Please refer to https://bugzilla.redhat.com/page.cgi?id=fields.html#bug_severity for a reminder on each severity's definition.

If it's something like a tracker bug where it doesn't matter, please set the severity to Low.

Comment 2 Mohit Goyal 2019-03-21 15:09:05 UTC
Peter, I have a question for you on this one. Once you click on a specific CVE, there is an option where we have a link in the details view of a CVE that is called "Red Hat CVE Database". The "Red Hat CVE Database" is the link to I think what you're calling the RHSA. Are you asking for this link to be placed within the table or are you referring to a completely different thing altogether? If it's easier to discuss, we can do so in our next call.

Comment 3 Peter Vreman 2019-03-21 15:29:02 UTC
My Persona is that of a Satellite user and i talk only in Errata and not in CVE numbers.

The link 'RedHat CVE Database' is for me too less information inside the Portal. I doubted yesterday if i filed a BZ on that cve details on the screen. but noticed that the CVE description matched the CVE databaase description already.
I do not want to leave the portal and then start reading/parsing a new document to find relevant information i need to make a decision.

E.g. having the seciton below included in the CVE details would fit my needs for information.
--------
Red Hat Security Errata
Platform 	Errata 	Release Date
Red Hat Enterprise Linux 7 (cloud-init) 	RHSA-2019:0597 	2019-03-18
----------

Maybe also the CVSS score that is shown already can have an expandable section to provide the details from the CVE-database.

Having this information accessible directly provides much more information what and how the CVE affects the mentioned systems.

In the example above that directly would have shown that the cloud-init package affected would save me futher parsing of information and directly help in guessing estimation on what to do with the CVE

Comment 4 Mohit Goyal 2019-03-21 15:45:41 UTC
Thanks Peter. This is helpful. I have a few more questions on this one that I'll save until our next call. 

Having said this, one point of context I wanted to provide is that the way I'm approaching the Vulnerability app is such that non-Satellite users can use it without having to know Red Hat specific or Satellite specific terminology. At some point in the future, we will expand the capabilities of CSfR such that role-based access control can be given to the security teams in an organization and they will use industry-known terms. That doesn't prevent us from adding valuable nuggets such as including a link to the RHSA, as you have pointed out. But I thought knowing this will help as you continue to use the application. Happy to answer any questions about this when we speak next week.

Comment 9 Peter Vreman 2019-03-22 16:29:28 UTC
Mohit

Thanks for the answer and explanation of the target audience.

My interpreation of the current tool is that it is focussed on the sysadm due to the tight and prominent integration of Ansible.
If different audiences are targeted then it might be better to have for each and different presentation/view to suit their needs. If i was a Security person then i do not want to be bothered/distracted with anything that is Ansible related. Then i want to focus on reports and status. But i think mutliple views is a different RFE.

Back to the topic.
When i was writing the comment in the BZ i was also going more in the direction that the list of RHSA erratas shall be only in a expandable part (preferred to have the expansion staste persistent across logins and erratas) and not in the table itself as there might be multuipekl RHSA's and fitting multiple items in a single cell is also not quickly readable.


Peter


Note You need to log in before you can comment on or make changes to this bug.