fix(vulnerability): adapt API to v13s risk-tier model#452
Draft
ybelMekk wants to merge 15 commits into
Draft
Conversation
…checker - Add priorityActNow, priorityHigh, priorityElevated, priorityMonitor fields to ImageVulnerabilitySummary model - Expose priority fields in vulnerability.graphqls and GraphQL resolvers - Add VULNERABILITY_PRIORITY_ACT_NOW and VULNERABILITY_PRIORITY_HIGH sort fields - Add ExternalIngressActNowVulnerabilityIssue type and issue checker - Map priority signals (EPSS, KEV, ransomware) via VulnerabilityPrioritySignals - Bump golang.org/x/net to v0.55.0 and golang.org/x/crypto to v0.52.0 to fix known vulnerabilities - Update v13s/pkg/api to v0.0.0-20260525171357-13563f32226d (priority_elevated, priority_monitor support)
…; fix ExternalIngressActNow resolver stubs; add priority sort fields
…rebase onto main)
…ounts for terminal states
ybelMekk
force-pushed
the
feat/cve-priority
branch
from
f9eb406 to
3a773f3
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the vulnerability domain in nais/api to match the latest v13s “risk-tier” model, while keeping GraphQL/API naming stable and exposing additional CVE signal data needed by the frontend.
Changes:
- Adds EPSS/KEV/ransomware signals (and fix version) to
ImageVulnerability, and introduces derivedCVEPriorityonCVE. - Extends sorting/filtering to support priority-based ordering for image vulnerabilities, CVEs, and workload vulnerability summaries.
- Updates issue generation to use tier counts (ACT_NOW/HIGH_RISK) and introduces a new issue type for external-ingress workloads with ACT_NOW vulnerabilities.
Reviewed changes
Copilot reviewed 15 out of 19 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| internal/vulnerability/transform.go | Maps new CVE signal fields and tier summary fields into API models. |
| internal/vulnerability/transform_test.go | Adds unit tests for CVE priority derivation. |
| internal/vulnerability/sortfilter.go | Registers new sort fields for priority/tier counts. |
| internal/vulnerability/queries.go | Adds priority ordering for CVEs and hardens totalCount → int32 conversion. |
| internal/vulnerability/models.go | Extends models with CVE priority enum + new fields (EPSS/KEV/etc). |
| internal/vulnerability/fake/fakedata.go | Updates fake vulnerability summaries/findings to include tier and signal fields. |
| internal/issue/queries.go | Adds conversion support for the new issue type details payload. |
| internal/issue/model.go | Defines the new issue type and its details struct. |
| internal/issue/checker/workload_v13s.go | Updates issue logic to use tier counts; adds external-ingress ACT_NOW issue emission. |
| internal/graph/schema/vulnerability.graphqls | Extends public GraphQL schema with new fields/enums/sort options. |
| internal/graph/schema/issues.graphqls | Adds the new issue type + GraphQL type. |
| internal/graph/issues.resolvers.go | Wires resolvers for the new issue GraphQL type. |
| internal/graph/gengql/vulnerability.generated.go | Regenerates gqlgen output for vulnerability schema changes. |
| internal/graph/gengql/schema.generated.go | Regenerates gqlgen output for schema/type additions. |
| internal/graph/gengql/root_.generated.go | Regenerates gqlgen resolver root + complexity updates. |
| internal/graph/gengql/issues.generated.go | Regenerates gqlgen output for the new issue type. |
| integration_tests/issues_for_team.lua | Updates expected message/severity for vulnerable image issues. |
| go.mod | Bumps v13s API dependency to include risk-tier summary model updates. |
| go.sum | Updates dependency checksums accordingly. |
Files not reviewed (3)
- internal/graph/gengql/issues.generated.go: Language not supported
- internal/graph/gengql/schema.generated.go: Language not supported
- internal/graph/gengql/vulnerability.generated.go: Language not supported
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Scope
apito the latestv13srisk-tier modelImageVulnerabilityfor frontend use.What changed
v13s dependency (
github.com/nais/v13s/pkg/api)feat/risk-tier-summary-modelupdates (current branch tip includes5ff2f40).RiskTierproto enum uses explicit zero sentinel:RISK_TIER_UNSPECIFIED=0,ACT_NOW=1,HIGH_RISK=2,ELEVATED_RISK=3,MONITOR=4cve.priorityis restored and used for per-CVE sorting (priority_asc/priority_desc).top_risk_tierremains in the summary model and is used for summary-level filtering/sorting.API behavior updates
ACT_NOWHIGHELEVATEDMONITORImageVulnerabilitynow exposes inline CVE signal fields:hasKevEntry,knownRansomwareUse,epssScore,epssPercentilefixVersionImageVulnerabilityOrderField.PRIORITY->OrderByPriorityCVEOrderField.PRIORITY->OrderByPriorityRISK_TIER_UNSPECIFIEDis handled explicitly (no silent fallback toMONITOR).Validation
mise run generate:graphqlgo build ./...go test ./internal/vulnerability/... -count=1Notes
mise run checkfindings in unrelated areas (gosec/deadcode) are unchanged.