Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Support Additional Metadata + CVSS Score Logic Update #2199

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

Hacks4Snacks
Copy link
Contributor

Description

This PR introduces two changes:

  • Support for SeveritySource and DataSource as optional fields in the report data.
  • Updated logic for determining the "score" value.

The previous GetScoreFromCVSS logic consisted of:
• check if “nvd” exists in the CVSS map and returns its score if found.
• If “nvd” is not found, it returns the first vendor score found in the map.
Returning the first vendor score in the map could lead to discrepancies between the severity and the CVSS score value.

The updated GetScoreFromCVSS logic includes:
• Takes severitySource and preferredSources as additional parameters.
• Returns the CVSS score from severitySource (vendor) if it exists.
• If severitySource (vendor) does not exist in the map, it looks for scores in the order of preferredSources. The order of preferredSources is derived from https://github.com/aquasecurity/trivy-db/blob/d23a6ca8ba04f8acaeac9b1d2e1c52c5242b2814/pkg/vulnsrc/vulnerability/vulnerability.go#L17

Before:
{
"fixedVersion": "1.33.0",
"installedVersion": "v1.31.0",
"lastModifiedDate": "2024-06-10T18:15:26Z",
"links": [],
"primaryLink": "https://avd.aquasec.com/nvd/cve-2024-24786",
"publishedDate": "2024-03-05T23:15:07Z",
"resource": "google.golang.org/protobuf",
"score": 5.9,
"severity": "MEDIUM",
"target": "",
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"vulnerabilityID": "CVE-2024-24786"
},

After:
{
"dataSource": {
"id": "ghsa",
"name": "GitHub Security Advisory Go",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
},
"fixedVersion": "1.33.0",
"installedVersion": "v1.31.0",
"lastModifiedDate": "2024-06-10T18:15:26Z",
"links": [],
"primaryLink": "https://avd.aquasec.com/nvd/cve-2024-24786",
"publishedDate": "2024-03-05T23:15:07Z",
"resource": "google.golang.org/protobuf",
"score": 5.9,
"severity": "MEDIUM",
"severitySource": "ghsa",
"target": "",
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"vulnerabilityID": "CVE-2024-24786"
},

Related issues

  • N/A

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@CLAassistant
Copy link

CLAassistant commented Jul 23, 2024

CLA assistant check
All committers have signed the CLA.

@Hacks4Snacks Hacks4Snacks changed the title Support Additional Metadata + CVSS Score Logic Update feat: Support Additional Metadata + CVSS Score Logic Update Jul 23, 2024
@Hacks4Snacks Hacks4Snacks force-pushed the hacks4snacks/additionalmeta branch 4 times, most recently from f17db2d to 4bfb7e4 Compare July 23, 2024 18:41
@Hacks4Snacks Hacks4Snacks force-pushed the hacks4snacks/additionalmeta branch from 4bfb7e4 to f7eefb0 Compare July 23, 2024 18:41
@kersten
Copy link
Contributor

kersten commented Jul 25, 2024

@Hacks4Snacks Seems to look like it will this solve my irritation about score and severity which I questioned here 👍🏻 https://aquasecurity.slack.com/archives/C02KVB6AED9/p1717779723156139

@Hacks4Snacks Hacks4Snacks force-pushed the hacks4snacks/additionalmeta branch from 63e241c to aea8e4f Compare July 25, 2024 14:22
@Hacks4Snacks
Copy link
Contributor Author

@Hacks4Snacks Seems to look like it will this solve my irritation about score and severity which I questioned here 👍🏻 https://aquasecurity.slack.com/archives/C02KVB6AED9/p1717779723156139

Awesome! Just took a look at the linked thread and that is exactly what I'm targeting with this fix.

Copy link

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Sep 24, 2024
@Hacks4Snacks Hacks4Snacks deleted the hacks4snacks/additionalmeta branch October 8, 2024 23:25
@kersten
Copy link
Contributor

kersten commented Oct 9, 2024

@Hacks4Snacks why did you close this?

@Hacks4Snacks Hacks4Snacks restored the hacks4snacks/additionalmeta branch October 9, 2024 14:10
@Hacks4Snacks
Copy link
Contributor Author

@Hacks4Snacks why did you close this?

Hey @kersten I appreciate the ping, this was inadvertent. I will be raising again.

@Hacks4Snacks Hacks4Snacks reopened this Oct 9, 2024
@github-actions github-actions bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Oct 10, 2024
Copy link

github-actions bot commented Dec 9, 2024

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Dec 9, 2024
@afdesk afdesk removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label Dec 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants