feat: retain source and type on NVD CVSS scores in grypedb (#109)

Signed-off-by: Weston Steimel <[email protected]>

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.4.0
 	github.com/anchore/go-logger v0.0.0-20230120230012-47be9bb822a2
-	github.com/anchore/grype v0.62.1
+	github.com/anchore/grype v0.62.2
 	github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963
 	github.com/anchore/syft v0.82.0
 	github.com/dustin/go-humanize v1.0.1
@@ -74,7 +74,7 @@ require (
 	github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
 	github.com/docker/cli v23.0.5+incompatible // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
-	github.com/docker/docker v24.0.1+incompatible // indirect
+	github.com/docker/docker v24.0.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect

go.sum

@@ -239,8 +239,8 @@ github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/grype v0.62.1 h1:TQfUys9XrtArKA92eoOLMMIAMdd0DBfnyz3gOTfCqIc=
-github.com/anchore/grype v0.62.1/go.mod h1:4v6jNv9JlQt7vUYBPCq0VObq6L/iE9WcqAmhc5IaQAg=
+github.com/anchore/grype v0.62.2 h1:TBkkL1r5gXHSGdE+f1BLLW93ua0VjMdnEPeNwhL4CYo=
+github.com/anchore/grype v0.62.2/go.mod h1:Klu3hAZQZ9rbCv2EwW1ZrfetXof0cxlYrUU5RMzXK+w=
 github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 h1:AV7qjwMcM4r8wFhJq3jLRztew3ywIyPTRapl2T1s9o8=
 github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4=
 github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963 h1:vrf2PYH77vqVJoNR15ZuFJ63qwBMqrmGIt/7VsBhLF8=
@@ -324,8 +324,8 @@ github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuD
 github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
 github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
-github.com/docker/docker v24.0.1+incompatible h1:NxN81beIxDlUaVt46iUQrYHD9/W3u9EGl52r86O/IGw=
-github.com/docker/docker v24.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg=
+github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
 github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ=

pkg/process/v5/transformers/nvd/transform.go

@@ -91,6 +91,8 @@ func getCvss(cvss ...nvd.CvssSummary) []grypeDB.Cvss {
 	var results []grypeDB.Cvss
 	for _, c := range cvss {
 		results = append(results, grypeDB.Cvss{
+			Source:  c.Source,
+			Type:    string(c.Type),
 			Version: c.Version,
 			Vector:  c.Vector,
 			Metrics: grypeDB.CvssMetrics{

pkg/process/v5/transformers/nvd/transform_test.go

@@ -73,6 +73,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "AV:N/AC:L/Au:N/C:P/I:P/A:P",
 						Version: "2.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 					{
 						Metrics: grypeDB.NewCvssMetrics(
@@ -82,6 +84,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
 						Version: "3.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 				},
 			},
@@ -121,6 +125,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "AV:N/AC:M/Au:N/C:P/I:P/A:P",
 						Version: "2.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 					{
 						Metrics: grypeDB.NewCvssMetrics(
@@ -130,6 +136,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
 						Version: "3.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 				},
 			},
@@ -168,6 +176,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "AV:N/AC:L/Au:N/C:P/I:N/A:N",
 						Version: "2.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 					{
 						Metrics: grypeDB.NewCvssMetrics(
@@ -177,6 +187,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
 						Version: "3.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 				},
 			},
@@ -207,6 +219,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "AV:N/AC:L/Au:N/C:N/I:N/A:P",
 						Version: "2.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 					{
 						Metrics: grypeDB.NewCvssMetrics(
@@ -216,6 +230,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
 						Version: "3.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 				},
 			},
@@ -291,6 +307,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "AV:L/AC:M/Au:N/C:P/I:P/A:P",
 						Version: "2.0",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 					{
 						Metrics: grypeDB.NewCvssMetrics(
@@ -300,6 +318,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) {
 						),
 						Vector:  "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
 						Version: "3.1",
+						Source:  "[email protected]",
+						Type:    "Primary",
 					},
 				},
 			},

pkg/provider/unmarshal/nvd/cve.go

@@ -50,13 +50,13 @@ type CveItem struct {
 	// EvaluatorComment      *string         `json:"evaluatorComment,omitempty"`
 	// EvaluatorImpact       *string         `json:"evaluatorImpact,omitempty"`
 	// EvaluatorSolution     *string         `json:"evaluatorSolution,omitempty"`
-	// LastModified          string          `json:"lastModified"`
-	Metrics *Metrics `json:"metrics,omitempty"`
-	// Published             string          `json:"published"`
-	References []Reference `json:"references"`
+	LastModified string      `json:"lastModified"`
+	Metrics      *Metrics    `json:"metrics,omitempty"`
+	Published    string      `json:"published"`
+	References   []Reference `json:"references"`
 	// SourceIdentifier      *string         `json:"sourceIdentifier,omitempty"`
 	// VendorComments        []VendorComment `json:"vendorComments,omitempty"`
-	// VulnStatus            *string         `json:"vulnStatus,omitempty"`
+	VulnStatus *string `json:"vulnStatus,omitempty"`
 	// Weaknesses            []Weakness      `json:"weaknesses,omitempty"`
 }
 
@@ -103,25 +103,25 @@ type CvssV2 struct {
 	// ObtainAllPrivilege      *bool         `json:"obtainAllPrivilege,omitempty"`
 	// ObtainOtherPrivilege    *bool         `json:"obtainOtherPrivilege,omitempty"`
 	// ObtainUserPrivilege     *bool         `json:"obtainUserPrivilege,omitempty"`
-	// Source                  string        `json:"source"`
-	Type CvssType `json:"type"`
+	Source string   `json:"source"`
+	Type   CvssType `json:"type"`
 	// UserInteractionRequired *bool         `json:"userInteractionRequired,omitempty"`
 }
 
 type CvssV30 struct {
 	CvssData            cvss30.Cvss30 `json:"cvssData"`
 	ExploitabilityScore *float64      `json:"exploitabilityScore,omitempty"`
 	ImpactScore         *float64      `json:"impactScore,omitempty"`
-	// Source              string        `json:"source"`
-	Type CvssType `json:"type"`
+	Source              string        `json:"source"`
+	Type                CvssType      `json:"type"`
 }
 
 type CvssV31 struct {
 	CvssData            cvss31.Cvss31 `json:"cvssData"`
 	ExploitabilityScore *float64      `json:"exploitabilityScore,omitempty"`
 	ImpactScore         *float64      `json:"impactScore,omitempty"`
-	// Source              string        `json:"source"`
-	Type CvssType `json:"type"`
+	Source              string        `json:"source"`
+	Type                CvssType      `json:"type"`
 }
 
 // "type identifies whether the organization is a primary or secondary source. Primary sources
@@ -163,6 +163,7 @@ func (o CveItem) Description() string {
 }
 
 type CvssSummary struct {
+	Source              string
 	Type                CvssType
 	Version             string
 	Vector              string
@@ -242,6 +243,7 @@ func (o CveItem) CVSS() []CvssSummary {
 	for _, c := range o.Metrics.CvssMetricV2 {
 		results = append(results,
 			CvssSummary{
+				Source:              c.Source,
 				Type:                c.Type,
 				Version:             c.CvssData.Version,
 				Vector:              c.CvssData.VectorString,
@@ -256,6 +258,7 @@ func (o CveItem) CVSS() []CvssSummary {
 		sev := string(c.CvssData.BaseSeverity)
 		results = append(results,
 			CvssSummary{
+				Source:              c.Source,
 				Type:                c.Type,
 				Version:             c.CvssData.Version,
 				Vector:              c.CvssData.VectorString,
@@ -270,6 +273,7 @@ func (o CveItem) CVSS() []CvssSummary {
 		sev := string(c.CvssData.BaseSeverity)
 		results = append(results,
 			CvssSummary{
+				Source:              c.Source,
 				Type:                c.Type,
 				Version:             c.CvssData.Version,
 				Vector:              c.CvssData.VectorString,