Add option to include severity in table output

[giovanni-bozzano]

Add an optional --include-severity flag to include a severity column when using table or markdown output, when severity is present in the OSV schema.

[G-Rath]

Can you please add tests

[giovanni-bozzano]

Sure, test added.

From an end user perspective, it would be useful to also have the numeric score computed in the same column, for a quicker overview. Let me know if this sounds good.

[another-rex]

Thanks for working on this @giovanni-bozzano!

Unfortunately we want to be very careful with what we add to the table output as we want to keep the horizontal width down, and also keep the number of CLI flags limited.

Converting CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L into a single numeric score will help, but it also loses a decent amount of information.

A more long term solution is to create a markdown/text based output format, which is more suitable for adding additional information like severity info, fixed versions...etc, We are currently developing this as part of #57, currently estimated to be completed this quarter.

For now a workaround would be to parse the json output to get the severity value.

[another-rex]

Discussed this a bit more with the team, something similar to this could work showing only the computed scores in the table, and only showing the full string (or a subset of it) in the text output I was describing above so if the user wants more info they can get it.

We can use https://github.com/goark/go-cvss to compute the score relatively easily, if you can replace the current full severity string with just the score it would be great!

[giovanni-bozzano]

I changed the table output to be numeric as you suggested. This will show the computed base score in case of CVSS v2 or v3, and it will keep the OSV schema score string in case of quantitative type.

It would probably be good to point out that this is the base score. Maybe this information can be included in the docs to keep the table narrow.

[another-rex]

Thanks for the change! Agreed with adding to the documentation to clarify that this is the base severity score.

I think now that it's reasonably short, we can remove the include-severity flag and just always show the severity column. (Does mean a couple of the tests in main_test.go will need to be updated)

[oliverchang]

Thanks for the change! Agreed with adding to the documentation to clarify that this is the base severity score.

I think now that it's reasonably short, we can remove the include-severity flag and just always show the severity column. (Does mean a couple of the tests in main_test.go will need to be updated)

CC @hayleycd to see where we can fit this in our current docs.

[giovanni-bozzano]

I removed the flag and renamed the column to "CVSS". Tests have been changed accordingly.

[another-rex]

Thanks! Just check if the final comments are correct then we should be good to merge!

[hayleycd]

So what determines if the severity score is CVSS v2 or CVSS v3? (Clarifying so I can update the docs)

[another-rex]

Inside each OSV entry the severity looks like this:

  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"
    }
  ],

The type field shows what version is used, currently the schema defines only two options, v3 and v2: https://ossf.github.io/osv-schema/#severity-field

As for why you would choose one over the other I think it's just newer advisories use cvss v3, and older ones use v2.

[hayleycd]

@another-rex
So there is nothing specific to this code, it will just pull the cvss (whether version 2 or 3) from the OSV entry?

[another-rex]

Yep