-
Notifications
You must be signed in to change notification settings - Fork 217
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Support Additional Metadata + CVSS Score Logic Update #2199
base: main
Are you sure you want to change the base?
feat: Support Additional Metadata + CVSS Score Logic Update #2199
Conversation
f17db2d
to
4bfb7e4
Compare
4bfb7e4
to
f7eefb0
Compare
@Hacks4Snacks Seems to look like it will this solve my irritation about score and severity which I questioned here 👍🏻 https://aquasecurity.slack.com/archives/C02KVB6AED9/p1717779723156139 |
63e241c
to
aea8e4f
Compare
Awesome! Just took a look at the linked thread and that is exactly what I'm targeting with this fix. |
This PR is stale because it has been labeled with inactivity. |
@Hacks4Snacks why did you close this? |
Hey @kersten I appreciate the ping, this was inadvertent. I will be raising again. |
This PR is stale because it has been labeled with inactivity. |
Description
This PR introduces two changes:
The previous GetScoreFromCVSS logic consisted of:
• check if “nvd” exists in the CVSS map and returns its score if found.
• If “nvd” is not found, it returns the first vendor score found in the map.
Returning the first vendor score in the map could lead to discrepancies between the severity and the CVSS score value.
The updated GetScoreFromCVSS logic includes:
• Takes severitySource and preferredSources as additional parameters.
• Returns the CVSS score from severitySource (vendor) if it exists.
• If severitySource (vendor) does not exist in the map, it looks for scores in the order of preferredSources. The order of preferredSources is derived from https://github.com/aquasecurity/trivy-db/blob/d23a6ca8ba04f8acaeac9b1d2e1c52c5242b2814/pkg/vulnsrc/vulnerability/vulnerability.go#L17
Before:
{
"fixedVersion": "1.33.0",
"installedVersion": "v1.31.0",
"lastModifiedDate": "2024-06-10T18:15:26Z",
"links": [],
"primaryLink": "https://avd.aquasec.com/nvd/cve-2024-24786",
"publishedDate": "2024-03-05T23:15:07Z",
"resource": "google.golang.org/protobuf",
"score": 5.9,
"severity": "MEDIUM",
"target": "",
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"vulnerabilityID": "CVE-2024-24786"
},
After:
{
"dataSource": {
"id": "ghsa",
"name": "GitHub Security Advisory Go",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
},
"fixedVersion": "1.33.0",
"installedVersion": "v1.31.0",
"lastModifiedDate": "2024-06-10T18:15:26Z",
"links": [],
"primaryLink": "https://avd.aquasec.com/nvd/cve-2024-24786",
"publishedDate": "2024-03-05T23:15:07Z",
"resource": "google.golang.org/protobuf",
"score": 5.9,
"severity": "MEDIUM",
"severitySource": "ghsa",
"target": "",
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"vulnerabilityID": "CVE-2024-24786"
},
Related issues
Checklist