106 vulnerabilities notification

[tdruez]

#106

[tdruez]

@DennisClark Progress on the notification implementation:

The current implementation includes 2 notification systems:

1. Internal notification

To receive internal notifications about vulnerability data, a new User "Vulnerability impact notification" field was added.

Users with this flag activated will receive notifications each time new vulnerabilities are found during the daily data update process.

Those notifications include links to the Vulnerabilities and Package list view filtered by impacted items.

2. Webhook notification

A new vulnerability.data_update event was added in the Webhook system. This event is also triggered each time the vulnerability data update process is completed.
A DejaCode admin can define Webhooks, such as a Slack notification, to be triggered on this event.

For example:

[DennisClark]

@tdruez the new notification looks good for both vulnerabilities and packages, but as a user I get slightly confused when I see the filtered lists but there is no way (other than manually editing the URL) for me to get that list view again other than through the original notification. The sort feature on the vulnerabilities list is helpful, but still not quite the same. Perhaps we need some way to filter on the date field, sort of like the today/last-7-days/this-month/this-year filter that we have in the admin browse forms. This concern is not a show-stopper, so I think it's ok if we make it a separate issue and deal with it later.

Not really in the scope of this issue I suppose, but I noticed that when I click on a Vulnerability VCID it takes at least 20 seconds to open that vulnerability in public2. I opened public and pasted a VCID there and it also seems really sluggish. I suppose it might have something to do with the high number of affected packages. Do you know if there are performance improvements that still need to be deployed on our public and public2 servers? I am concerned that the really slow response could be rather annoying to a DejaCode user, even though it is a VCIO problem. (Maybe a message such as "Getting affected packages list ..." would take care of it.) Please suggest what we ought to do, if anything, about this, thanks.

[tdruez]

Not really in the scope of this issue I suppose, but I noticed that when I click on a Vulnerability VCID it takes at least 20 seconds to open that vulnerability in public2

Entered as aboutcode-org/vulnerablecode#1714

I am concerned that the really slow response could be rather annoying to a DejaCode user, even though it is a VCIO problem.

We could add a new Vulnerability details view in DejaCode, that would present everything we store in DejaCode about a vulnerability. Please enter a new issue if we should go ahead with the approach.

Perhaps we need some way to filter on the date field

I've added the date filter in the Vulnerability list first column.

[DennisClark]

@tdruez thanks for creating the VCIO issue. I think the best approach, for now, is to improve performance there rather than add a somewhat redundant details view in DejaCode.

[pombredanne]

@tdruez the notification looks great!