Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

vulnsrc: Add CVSS scores to output in addition to vectors #48

Merged
merged 9 commits into from
Jun 16, 2020
6 changes: 4 additions & 2 deletions pkg/types/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,8 +12,10 @@ type Severity int
type VendorSeverity map[string]Severity

type CVSSVector struct {
V2 string `json:"v2,omitempty"`
V3 string `json:"v3,omitempty"`
V2 string `json:"v2,omitempty"`
simar7 marked this conversation as resolved.
Show resolved Hide resolved
V2Score float64 `json:"v2_score,omitempty"`
V3 string `json:"v3,omitempty"`
V3Score float64 `json:"v3_score,omitempty"`
simar7 marked this conversation as resolved.
Show resolved Hide resolved
}
type VendorVectors map[string]CVSSVector

Expand Down
6 changes: 3 additions & 3 deletions pkg/vulnsrc/nvd/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,16 +30,16 @@ type BaseMetricV2 struct {
}

type CvssV2 struct {
BaseScore float64
VectorString string `json:"vectorString"`
BaseScore float64 `json:"baseScore"`
VectorString string `json:"vectorString"`
}

type BaseMetricV3 struct {
CvssV3 CvssV3
}

type CvssV3 struct {
BaseScore float64
BaseScore float64 `json:"baseScore"`
BaseSeverity string
VectorString string `json:"vectorString"`
}
Expand Down
10 changes: 6 additions & 4 deletions pkg/vulnsrc/vulnerability/vulnerability.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ import (
)

var (
sources = []string{Nvd, RedHat, Debian, DebianOVAL, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
sources = []string{Nvd, RedHat, Debian, DebianOVAL, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
RubySec, RustSec, PhpSecurityAdvisories, NodejsSecurityWg, PythonSafetyDB,
GHSAComposer, GHSAMaven, GHSANpm, GHSANuget, GHSAPip, GHSARubygems}
)
Expand All @@ -36,12 +36,14 @@ func GetDetail(vulnID string) (types.Severity, types.VendorSeverity, types.Vendo
func getVendorVectors(details map[string]types.VulnerabilityDetail) types.VendorVectors {
vv := make(types.VendorVectors)
for vendor, detail := range details {
if detail.CvssVector == "" && detail.CvssVectorV3 == "" {
if (detail.CvssVector == "" || detail.CvssScore == 0) && (detail.CvssVectorV3 == "" || detail.CvssScoreV3 == 0) {
continue
}
vv[vendor] = types.CVSSVector{
V2: detail.CvssVector,
V3: detail.CvssVectorV3,
V2: detail.CvssVector,
V2Score: detail.CvssScore,
V3: detail.CvssVectorV3,
V3Score: detail.CvssScoreV3,
}
}
return vv
Expand Down
41 changes: 37 additions & 4 deletions pkg/vulnsrc/vulnerability/vulnerability_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,6 @@ func TestGetDetail(t *testing.T) {
},
Ubuntu: {
ID: "CVE-2020-1234",
CvssScore: 1.2,
CvssScoreV3: 3.4,
CvssVectorV3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
Severity: types.SeverityLow,
Expand All @@ -63,11 +62,14 @@ func TestGetDetail(t *testing.T) {
expectedVendorSeverity: types.VendorSeverity{"redhat": 4, "ubuntu": 1, "rust-advisory-db": 4},
expectedVendorVectors: types.VendorVectors{
RedHat: types.CVSSVector{
V2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
V2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
V2Score: 4.2,
V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
V3Score: 5.6,
},
Ubuntu: types.CVSSVector{
V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
V3Score: 3.4,
},
},
expectedTitle: "test vulnerability",
Expand Down Expand Up @@ -107,6 +109,37 @@ func TestGetDetail(t *testing.T) {
expectedTitle: "test vulnerability",
expectedDescription: "a test vulnerability where vendor rates it lower than NVD",
},
{
name: "happy path, classifications for redhat (only CVSSv3), ubuntu and nodejs with variety vectors but no scores",
getVulnerabilityDetailFunc: func(cveID string) (m map[string]types.VulnerabilityDetail, err error) {
return map[string]types.VulnerabilityDetail{
RedHat: {
ID: "CVE-2020-1234",
CvssVector: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
CvssVectorV3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
Title: "test vulnerability",
Description: "a test vulnerability where vendor rates it lower than NVD",
},
Ubuntu: {
ID: "CVE-2020-1234",
Severity: types.SeverityLow,
SeverityV3: types.SeverityMedium,
Title: "test vulnerability",
Description: "a test vulnerability where vendor rates it lower than NVD",
},
NodejsSecurityWg: {
ID: "CVE-2020-1234",
Title: "test vulnerability",
Description: "a test vulnerability where vendor rates it lower than NVD",
},
}, nil
},
expectedSeverity: types.SeverityLow,
expectedVendorSeverity: types.VendorSeverity{"ubuntu": 1},
expectedVendorVectors: types.VendorVectors{},
expectedTitle: "test vulnerability",
expectedDescription: "a test vulnerability where vendor rates it lower than NVD",
},
{
name: "sad path, getVulnerabilityDetailFunc returns an error",
getVulnerabilityDetailFunc: func(cveID string) (m map[string]types.VulnerabilityDetail, err error) {
Expand Down