From 6b5fcc3e661b0238ef2027bd53fc1f17e2a16289 Mon Sep 17 00:00:00 2001 From: wang yan Date: Mon, 15 Apr 2024 13:12:45 +0800 Subject: [PATCH] fix issue 20269 By default, use the nvd score as the primary score, and if it is unavailable, fallback to the redhat score. fix #20269 Signed-off-by: wang yan --- .../scan/postprocessors/report_converters.go | 27 ++++++++++--------- .../postprocessors/report_converters_test.go | 2 ++ 2 files changed, 17 insertions(+), 12 deletions(-) diff --git a/src/pkg/scan/postprocessors/report_converters.go b/src/pkg/scan/postprocessors/report_converters.go index 538b75ce7ae..0a91f41ad38 100644 --- a/src/pkg/scan/postprocessors/report_converters.go +++ b/src/pkg/scan/postprocessors/report_converters.go @@ -354,25 +354,28 @@ func (c *nativeToRelationalSchemaConverter) updateReport(ctx context.Context, vu return report.Mgr.Update(ctx, r, "CriticalCnt", "HighCnt", "MediumCnt", "LowCnt", "NoneCnt", "UnknownCnt", "FixableCnt") } -// CVSS ... -type CVSS struct { - NVD Nvd `json:"nvd"` +// CVS ... +type CVS struct { + CVSS map[string]map[string]interface{} `json:"CVSS"` } -// Nvd ... -type Nvd struct { - V3Score float64 `json:"V3Score"` -} - -func parseScoreFromVendorAttribute(ctx context.Context, vendorAttribute string) (NvdV3Score float64) { - var data map[string]CVSS +func parseScoreFromVendorAttribute(ctx context.Context, vendorAttribute string) float64 { + var data CVS err := json.Unmarshal([]byte(vendorAttribute), &data) if err != nil { log.G(ctx).Errorf("failed to parse vendor_attribute, error %v", err) return 0 } - if cvss, ok := data["CVSS"]; ok { - return cvss.NVD.V3Score + + // set the nvd as the first priority, if it's unavailable, return the first V3Score available. + if val, ok := data.CVSS["nvd"]["V3Score"]; ok { + return val.(float64) + } + + for vendor := range data.CVSS { + if val, ok := data.CVSS[vendor]["V3Score"]; ok { + return val.(float64) + } } return 0 } diff --git a/src/pkg/scan/postprocessors/report_converters_test.go b/src/pkg/scan/postprocessors/report_converters_test.go index 057113a4793..32b7660fa1e 100644 --- a/src/pkg/scan/postprocessors/report_converters_test.go +++ b/src/pkg/scan/postprocessors/report_converters_test.go @@ -578,6 +578,8 @@ func Test_parseScoreFromVendorAttribute(t *testing.T) { {"both", args{`{"CVSS":{"nvd":{"V3Score":5.5,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},"redhat":{"V3Score":6.2,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}}`}, 5.5}, {"both2", args{`{"CVSS":{"nvd":{"V2Score":7.2,"V2Vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C","V3Score":7.8,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},"redhat":{"V3Score":7.8,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 7.8}, {"none", args{`{"CVSS":{"nvd":{"V2Score":7.2,"V2Vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C","V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},"redhat":{"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 0}, + {"redhatonly", args{`{"CVSS":{"redhat":{"V3Score":8.8, "V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 8.8}, + {"nvdnov3butredhat", args{`{"CVSS":{"nvd":{"V2Score":7.2,"V2Vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C"},"redhat":{"V3Score":7.8,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 7.8}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {