This project is a Quarkus + React web application implemented to interact with Agent Morpheus service for sending requests to evaluate vulnerabilities on specific SBOMs.
Check this other documents for:
Open http://localhost:8080/app/index.html
In the Request Analysis tab you will access a form where you can load a CycloneDX SBOM and type a list of CVEs to inspect. The Request ID will be used to trace the request and will be generated from the SBOM data but can be updated before submitting the request. If not provided a UUID will be generated.
The Metadata can include any key/pair set of values. You can add a batch_id if this request is related to others and you will
be able to group them when browsing the reports. Note that the user will be automatically added as a metadata parameter.
After submitting the request you can go to the View Reports tab where you can manage all the received reports.
There is a configurable pool of concurrent requests. Any request that is submitted when the pool is full will be queued. If after a certain time a callback response is not received, the report will be expired (failed).
This table shows all the reports and allows sorting by ID and Completed at columns. There is a Status dropdown that can be
used to filter by Status. You can use any metadata as a query parameter for advanced filtering. e.g. ?batch_id=001
- The ID link will take you to the report's detail.
- Click the CVE to filter reports with the same CVE.
- Use the Actions to Retry or Delete the selected report.
The checkboxes can be used to delete multiple reports. You can delete all the reports by checking the top checkbox. It is important to mention that the selection will affect all the reports with the current filter but if no filter is selected, all the reports can be deleted.
The available States displayed in the table are:
- Completed: The report has been sent and completed in Morpheus.
- Sent: The report has been sent but not yet analyzed (or received)
- Queued: The report is in the waiting queue and will be sent as soon as there is space in the pool.
- Failed: The report has either timeout or failed
You can click on the refresh icon to reload the table.
When you click View on a report in the table you will see all the details of the given report.
The first part includes some details about the report like the image and tag or all the available timestamps and metadata.
The Image, Tag, metadata elements and the CVE are clickable and will take you to the View Reports table but
filtering all the reports sharing this element. e.g. All reports related to the ose-console image.
The second part of the report shows the result of the analysis of each of the selected CVEs with the Justification Label, the Reason, Summary and finally, the Checklist.
Each element in the checklist includes a Q/A with the generated checklist item and the justification.
At the bottom of the report you will find buttons to:
- Download the raw Json report.
- Delete the report.
- Back to the previous screen.
This table is meant to manage and show the Vulnerabilities additional data that can be used from Morpheus if the UI is configured as an additional Intel Source.
If you add/edit a vulnerability a Text area will appear and let you add any free text about the vulnerability that you want the analysis to use.
Finally the Reports button will show you all the reports related to this vulnerability and the Delete button will remove it from the table.
