From d6b059f43e98743fbd4a3c4fb895f4743c5643de Mon Sep 17 00:00:00 2001 From: Weston Steimel Date: Fri, 26 May 2023 19:21:48 +0100 Subject: [PATCH] feat: retain source and type on NVD CVSS scores in grypedb (#109) Signed-off-by: Weston Steimel --- go.mod | 4 +-- go.sum | 8 +++--- pkg/process/v5/transformers/nvd/transform.go | 2 ++ .../v5/transformers/nvd/transform_test.go | 20 ++++++++++++++ pkg/provider/unmarshal/nvd/cve.go | 26 +++++++++++-------- 5 files changed, 43 insertions(+), 17 deletions(-) diff --git a/go.mod b/go.mod index d200282b..ac14ba9d 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d github.com/adrg/xdg v0.4.0 github.com/anchore/go-logger v0.0.0-20230120230012-47be9bb822a2 - github.com/anchore/grype v0.62.1 + github.com/anchore/grype v0.62.2 github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963 github.com/anchore/syft v0.82.0 github.com/dustin/go-humanize v1.0.1 @@ -74,7 +74,7 @@ require ( github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect github.com/docker/cli v23.0.5+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect - github.com/docker/docker v24.0.1+incompatible // indirect + github.com/docker/docker v24.0.2+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-units v0.5.0 // indirect diff --git a/go.sum b/go.sum index b851ad90..a79f656e 100644 --- a/go.sum +++ b/go.sum @@ -239,8 +239,8 @@ github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092/go.mod github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0vW0nnNKJfJieyH/TZ9UYAnTZs5/gHTdAe8= github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg= github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E= -github.com/anchore/grype v0.62.1 h1:TQfUys9XrtArKA92eoOLMMIAMdd0DBfnyz3gOTfCqIc= -github.com/anchore/grype v0.62.1/go.mod h1:4v6jNv9JlQt7vUYBPCq0VObq6L/iE9WcqAmhc5IaQAg= +github.com/anchore/grype v0.62.2 h1:TBkkL1r5gXHSGdE+f1BLLW93ua0VjMdnEPeNwhL4CYo= +github.com/anchore/grype v0.62.2/go.mod h1:Klu3hAZQZ9rbCv2EwW1ZrfetXof0cxlYrUU5RMzXK+w= github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501 h1:AV7qjwMcM4r8wFhJq3jLRztew3ywIyPTRapl2T1s9o8= github.com/anchore/packageurl-go v0.1.1-0.20230104203445-02e0a6721501/go.mod h1:Blo6OgJNiYF41ufcgHKkbCKF2MDOMlrqhXv/ij6ocR4= github.com/anchore/sqlite v1.4.6-0.20220607210448-bcc6ee5c4963 h1:vrf2PYH77vqVJoNR15ZuFJ63qwBMqrmGIt/7VsBhLF8= @@ -324,8 +324,8 @@ github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuD github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8= github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= -github.com/docker/docker v24.0.1+incompatible h1:NxN81beIxDlUaVt46iUQrYHD9/W3u9EGl52r86O/IGw= -github.com/docker/docker v24.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v24.0.2+incompatible h1:eATx+oLz9WdNVkQrr0qjQ8HvRJ4bOOxfzEo8R+dA3cg= +github.com/docker/docker v24.0.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= diff --git a/pkg/process/v5/transformers/nvd/transform.go b/pkg/process/v5/transformers/nvd/transform.go index 16230749..c77ffd35 100644 --- a/pkg/process/v5/transformers/nvd/transform.go +++ b/pkg/process/v5/transformers/nvd/transform.go @@ -91,6 +91,8 @@ func getCvss(cvss ...nvd.CvssSummary) []grypeDB.Cvss { var results []grypeDB.Cvss for _, c := range cvss { results = append(results, grypeDB.Cvss{ + Source: c.Source, + Type: string(c.Type), Version: c.Version, Vector: c.Vector, Metrics: grypeDB.CvssMetrics{ diff --git a/pkg/process/v5/transformers/nvd/transform_test.go b/pkg/process/v5/transformers/nvd/transform_test.go index 1851b41d..3a6e85cc 100644 --- a/pkg/process/v5/transformers/nvd/transform_test.go +++ b/pkg/process/v5/transformers/nvd/transform_test.go @@ -73,6 +73,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "AV:N/AC:L/Au:N/C:P/I:P/A:P", Version: "2.0", + Source: "nvd@nist.gov", + Type: "Primary", }, { Metrics: grypeDB.NewCvssMetrics( @@ -82,6 +84,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", Version: "3.0", + Source: "nvd@nist.gov", + Type: "Primary", }, }, }, @@ -121,6 +125,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "AV:N/AC:M/Au:N/C:P/I:P/A:P", Version: "2.0", + Source: "nvd@nist.gov", + Type: "Primary", }, { Metrics: grypeDB.NewCvssMetrics( @@ -130,6 +136,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", Version: "3.0", + Source: "nvd@nist.gov", + Type: "Primary", }, }, }, @@ -168,6 +176,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "AV:N/AC:L/Au:N/C:P/I:N/A:N", Version: "2.0", + Source: "nvd@nist.gov", + Type: "Primary", }, { Metrics: grypeDB.NewCvssMetrics( @@ -177,6 +187,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", Version: "3.0", + Source: "nvd@nist.gov", + Type: "Primary", }, }, }, @@ -207,6 +219,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "AV:N/AC:L/Au:N/C:N/I:N/A:P", Version: "2.0", + Source: "nvd@nist.gov", + Type: "Primary", }, { Metrics: grypeDB.NewCvssMetrics( @@ -216,6 +230,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", Version: "3.0", + Source: "nvd@nist.gov", + Type: "Primary", }, }, }, @@ -291,6 +307,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "AV:L/AC:M/Au:N/C:P/I:P/A:P", Version: "2.0", + Source: "nvd@nist.gov", + Type: "Primary", }, { Metrics: grypeDB.NewCvssMetrics( @@ -300,6 +318,8 @@ func TestParseAllNVDVulnerabilityEntries(t *testing.T) { ), Vector: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", Version: "3.1", + Source: "nvd@nist.gov", + Type: "Primary", }, }, }, diff --git a/pkg/provider/unmarshal/nvd/cve.go b/pkg/provider/unmarshal/nvd/cve.go index 28e11b59..8c478487 100644 --- a/pkg/provider/unmarshal/nvd/cve.go +++ b/pkg/provider/unmarshal/nvd/cve.go @@ -50,13 +50,13 @@ type CveItem struct { // EvaluatorComment *string `json:"evaluatorComment,omitempty"` // EvaluatorImpact *string `json:"evaluatorImpact,omitempty"` // EvaluatorSolution *string `json:"evaluatorSolution,omitempty"` - // LastModified string `json:"lastModified"` - Metrics *Metrics `json:"metrics,omitempty"` - // Published string `json:"published"` - References []Reference `json:"references"` + LastModified string `json:"lastModified"` + Metrics *Metrics `json:"metrics,omitempty"` + Published string `json:"published"` + References []Reference `json:"references"` // SourceIdentifier *string `json:"sourceIdentifier,omitempty"` // VendorComments []VendorComment `json:"vendorComments,omitempty"` - // VulnStatus *string `json:"vulnStatus,omitempty"` + VulnStatus *string `json:"vulnStatus,omitempty"` // Weaknesses []Weakness `json:"weaknesses,omitempty"` } @@ -103,8 +103,8 @@ type CvssV2 struct { // ObtainAllPrivilege *bool `json:"obtainAllPrivilege,omitempty"` // ObtainOtherPrivilege *bool `json:"obtainOtherPrivilege,omitempty"` // ObtainUserPrivilege *bool `json:"obtainUserPrivilege,omitempty"` - // Source string `json:"source"` - Type CvssType `json:"type"` + Source string `json:"source"` + Type CvssType `json:"type"` // UserInteractionRequired *bool `json:"userInteractionRequired,omitempty"` } @@ -112,16 +112,16 @@ type CvssV30 struct { CvssData cvss30.Cvss30 `json:"cvssData"` ExploitabilityScore *float64 `json:"exploitabilityScore,omitempty"` ImpactScore *float64 `json:"impactScore,omitempty"` - // Source string `json:"source"` - Type CvssType `json:"type"` + Source string `json:"source"` + Type CvssType `json:"type"` } type CvssV31 struct { CvssData cvss31.Cvss31 `json:"cvssData"` ExploitabilityScore *float64 `json:"exploitabilityScore,omitempty"` ImpactScore *float64 `json:"impactScore,omitempty"` - // Source string `json:"source"` - Type CvssType `json:"type"` + Source string `json:"source"` + Type CvssType `json:"type"` } // "type identifies whether the organization is a primary or secondary source. Primary sources @@ -163,6 +163,7 @@ func (o CveItem) Description() string { } type CvssSummary struct { + Source string Type CvssType Version string Vector string @@ -242,6 +243,7 @@ func (o CveItem) CVSS() []CvssSummary { for _, c := range o.Metrics.CvssMetricV2 { results = append(results, CvssSummary{ + Source: c.Source, Type: c.Type, Version: c.CvssData.Version, Vector: c.CvssData.VectorString, @@ -256,6 +258,7 @@ func (o CveItem) CVSS() []CvssSummary { sev := string(c.CvssData.BaseSeverity) results = append(results, CvssSummary{ + Source: c.Source, Type: c.Type, Version: c.CvssData.Version, Vector: c.CvssData.VectorString, @@ -270,6 +273,7 @@ func (o CveItem) CVSS() []CvssSummary { sev := string(c.CvssData.BaseSeverity) results = append(results, CvssSummary{ + Source: c.Source, Type: c.Type, Version: c.CvssData.Version, Vector: c.CvssData.VectorString,