diff --git a/integration/testdata/almalinux-8.json.golden b/integration/testdata/almalinux-8.json.golden index 824279932e..c2ae9382f4 100644 --- a/integration/testdata/almalinux-8.json.golden +++ b/integration/testdata/almalinux-8.json.golden @@ -76,6 +76,18 @@ "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "arch-linux": 3, + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", diff --git a/integration/testdata/alpine-310-registry.json.golden b/integration/testdata/alpine-310-registry.json.golden index c5336caaa4..df64131304 100644 --- a/integration/testdata/alpine-310-registry.json.golden +++ b/integration/testdata/alpine-310-registry.json.golden @@ -84,6 +84,14 @@ "CweIDs": [ "CWE-330" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -145,6 +153,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -216,6 +232,14 @@ "CweIDs": [ "CWE-330" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -277,6 +301,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/alpine-310.json.golden b/integration/testdata/alpine-310.json.golden index 6b0f8fb573..8c591c2681 100644 --- a/integration/testdata/alpine-310.json.golden +++ b/integration/testdata/alpine-310.json.golden @@ -78,6 +78,14 @@ "CweIDs": [ "CWE-330" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -139,6 +147,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -210,6 +226,14 @@ "CweIDs": [ "CWE-330" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -271,6 +295,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/alpine-39-high-critical.json.golden b/integration/testdata/alpine-39-high-critical.json.golden index 3d9a5acc2c..fc61f908f4 100644 --- a/integration/testdata/alpine-39-high-critical.json.golden +++ b/integration/testdata/alpine-39-high-critical.json.golden @@ -77,6 +77,9 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "nvd": 4 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", @@ -116,6 +119,9 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "nvd": 4 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/alpine-39-ignore-cveids.json.golden b/integration/testdata/alpine-39-ignore-cveids.json.golden index 1d187b9ed0..e620ebe420 100644 --- a/integration/testdata/alpine-39-ignore-cveids.json.golden +++ b/integration/testdata/alpine-39-ignore-cveids.json.golden @@ -78,6 +78,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -149,6 +157,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/alpine-39.json.golden b/integration/testdata/alpine-39.json.golden index f5dc053356..7781ccc44c 100644 --- a/integration/testdata/alpine-39.json.golden +++ b/integration/testdata/alpine-39.json.golden @@ -78,6 +78,14 @@ "CweIDs": [ "CWE-330" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -139,6 +147,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -210,6 +226,14 @@ "CweIDs": [ "CWE-330" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -271,6 +295,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -341,6 +373,9 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "nvd": 4 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", @@ -380,6 +415,9 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "nvd": 4 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/alpine-distroless.json.golden b/integration/testdata/alpine-distroless.json.golden index 5dc55d9980..6896e3c560 100644 --- a/integration/testdata/alpine-distroless.json.golden +++ b/integration/testdata/alpine-distroless.json.golden @@ -67,6 +67,9 @@ "CweIDs": [ "CWE-427" ], + "VendorSeverity": { + "ubuntu": 2 + }, "References": [ "http://www.openwall.com/lists/oss-security/2022/04/12/7", "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24765", diff --git a/integration/testdata/amazon-1.json.golden b/integration/testdata/amazon-1.json.golden index 9324ad548e..dde37a9072 100644 --- a/integration/testdata/amazon-1.json.golden +++ b/integration/testdata/amazon-1.json.golden @@ -77,6 +77,15 @@ "CweIDs": [ "CWE-415" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 4, + "oracle-oval": 2, + "photon": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/amazon-2.json.golden b/integration/testdata/amazon-2.json.golden index 5b19f2d5e0..ba19b615df 100644 --- a/integration/testdata/amazon-2.json.golden +++ b/integration/testdata/amazon-2.json.golden @@ -77,6 +77,15 @@ "CweIDs": [ "CWE-415" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 4, + "oracle-oval": 2, + "photon": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", @@ -136,6 +145,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 1, + "arch-linux": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 1, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden b/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden index aa3b62adbc..fe220cabad 100644 --- a/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden +++ b/integration/testdata/amazonlinux2-gp2-x86-vm.json.golden @@ -43,6 +43,12 @@ "Title": "bind: memory leak in ECDSA DNSSEC verification code", "Description": "By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources.", "Severity": "MEDIUM", + "VendorSeverity": { + "arch-linux": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", diff --git a/integration/testdata/busybox-with-lockfile.json.golden b/integration/testdata/busybox-with-lockfile.json.golden index f17f8796aa..8c02e02b4d 100644 --- a/integration/testdata/busybox-with-lockfile.json.golden +++ b/integration/testdata/busybox-with-lockfile.json.golden @@ -76,6 +76,9 @@ "CweIDs": [ "CWE-674" ], + "VendorSeverity": { + "nvd": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", @@ -115,6 +118,9 @@ "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "nvd": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/integration/testdata/centos-6.json.golden b/integration/testdata/centos-6.json.golden index 3fbca6d85a..d8cb95553e 100644 --- a/integration/testdata/centos-6.json.golden +++ b/integration/testdata/centos-6.json.golden @@ -93,6 +93,14 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", @@ -139,6 +147,14 @@ "CweIDs": [ "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/centos-7-ignore-unfixed.json.golden b/integration/testdata/centos-7-ignore-unfixed.json.golden index f27d999198..49777f0040 100644 --- a/integration/testdata/centos-7-ignore-unfixed.json.golden +++ b/integration/testdata/centos-7-ignore-unfixed.json.golden @@ -87,6 +87,14 @@ "CweIDs": [ "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", @@ -169,6 +177,16 @@ "CweIDs": [ "CWE-327" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 1, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/centos-7-medium.json.golden b/integration/testdata/centos-7-medium.json.golden index 955c833a34..eb54be5b13 100644 --- a/integration/testdata/centos-7-medium.json.golden +++ b/integration/testdata/centos-7-medium.json.golden @@ -87,6 +87,14 @@ "CweIDs": [ "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/centos-7.json.golden b/integration/testdata/centos-7.json.golden index e549fdac14..333ce10d4e 100644 --- a/integration/testdata/centos-7.json.golden +++ b/integration/testdata/centos-7.json.golden @@ -83,6 +83,14 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", @@ -133,6 +141,14 @@ "CweIDs": [ "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", @@ -215,6 +231,16 @@ "CweIDs": [ "CWE-327" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 1, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/cocoapods.json.golden b/integration/testdata/cocoapods.json.golden index 35ea7c41a0..71c4651e81 100644 --- a/integration/testdata/cocoapods.json.golden +++ b/integration/testdata/cocoapods.json.golden @@ -41,6 +41,9 @@ "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...", "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", diff --git a/integration/testdata/composer.lock.json.golden b/integration/testdata/composer.lock.json.golden index 6b8dbc6cf6..02718c7cab 100644 --- a/integration/testdata/composer.lock.json.golden +++ b/integration/testdata/composer.lock.json.golden @@ -78,6 +78,9 @@ "CweIDs": [ "CWE-20" ], + "VendorSeverity": { + "ghsa": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", diff --git a/integration/testdata/conda-spdx.json.golden b/integration/testdata/conda-spdx.json.golden index 9fc685b4aa..73b3394e66 100644 --- a/integration/testdata/conda-spdx.json.golden +++ b/integration/testdata/conda-spdx.json.golden @@ -74,17 +74,6 @@ } ], "files": [ - { - "fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json", - "SPDXID": "SPDXRef-File-600e5e0110a84891", - "checksums": [ - { - "algorithm": "SHA1", - "checksumValue": "237db0da53131e4548cb1181337fa0f420299e1f" - } - ], - "copyrightText": "" - }, { "fileName": "miniconda3/envs/testenv/conda-meta/pip-22.2.2-py38h06a4308_0.json", "SPDXID": "SPDXRef-File-7eb62e2a3edddc0a", @@ -95,6 +84,17 @@ } ], "copyrightText": "" + }, + { + "fileName": "miniconda3/envs/testenv/conda-meta/openssl-1.1.1q-h7f8727e_0.json", + "SPDXID": "SPDXRef-File-600e5e0110a84891", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "237db0da53131e4548cb1181337fa0f420299e1f" + } + ], + "copyrightText": "" } ], "relationships": [ @@ -108,16 +108,6 @@ "relatedSpdxElement": "SPDXRef-Application-ee5ef1aa4ac89125", "relationshipType": "CONTAINS" }, - { - "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125", - "relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f", - "relationshipType": "CONTAINS" - }, - { - "spdxElementId": "SPDXRef-Package-c75d9dc75200186f", - "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891", - "relationshipType": "CONTAINS" - }, { "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125", "relatedSpdxElement": "SPDXRef-Package-195557cddf18e4a9", @@ -127,6 +117,16 @@ "spdxElementId": "SPDXRef-Package-195557cddf18e4a9", "relatedSpdxElement": "SPDXRef-File-7eb62e2a3edddc0a", "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Application-ee5ef1aa4ac89125", + "relatedSpdxElement": "SPDXRef-Package-c75d9dc75200186f", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-Package-c75d9dc75200186f", + "relatedSpdxElement": "SPDXRef-File-600e5e0110a84891", + "relationshipType": "CONTAINS" } ] } \ No newline at end of file diff --git a/integration/testdata/debian-buster-ignore-unfixed.json.golden b/integration/testdata/debian-buster-ignore-unfixed.json.golden index 57c94d41b6..0ef080d4a7 100644 --- a/integration/testdata/debian-buster-ignore-unfixed.json.golden +++ b/integration/testdata/debian-buster-ignore-unfixed.json.golden @@ -80,6 +80,12 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/debian-buster.json.golden b/integration/testdata/debian-buster.json.golden index 6124ab93de..67a40b7b5a 100644 --- a/integration/testdata/debian-buster.json.golden +++ b/integration/testdata/debian-buster.json.golden @@ -76,6 +76,15 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", @@ -131,6 +140,12 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/debian-stretch.json.golden b/integration/testdata/debian-stretch.json.golden index 0b31b5eeda..7c8893cbda 100644 --- a/integration/testdata/debian-stretch.json.golden +++ b/integration/testdata/debian-stretch.json.golden @@ -77,6 +77,15 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", @@ -132,6 +141,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -193,6 +211,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -254,6 +281,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -315,6 +351,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/distroless-base.json.golden b/integration/testdata/distroless-base.json.golden index ff3156dacf..b9ce4e3b40 100644 --- a/integration/testdata/distroless-base.json.golden +++ b/integration/testdata/distroless-base.json.golden @@ -75,6 +75,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -150,6 +158,14 @@ "CWE-327", "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 1, + "oracle-oval": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", @@ -227,6 +243,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -302,6 +326,14 @@ "CWE-327", "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 1, + "oracle-oval": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/distroless-python27.json.golden b/integration/testdata/distroless-python27.json.golden index 4e6a2464b9..d97edd78bf 100644 --- a/integration/testdata/distroless-python27.json.golden +++ b/integration/testdata/distroless-python27.json.golden @@ -92,6 +92,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -167,6 +175,14 @@ "CWE-327", "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 1, + "oracle-oval": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", @@ -244,6 +260,14 @@ "CweIDs": [ "CWE-200" ], + "VendorSeverity": { + "amazon": 1, + "nvd": 2, + "oracle-oval": 1, + "photon": 2, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -319,6 +343,14 @@ "CWE-327", "CWE-203" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 1, + "oracle-oval": 2, + "photon": 1, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/dotnet.json.golden b/integration/testdata/dotnet.json.golden index d046249654..c2d51a2080 100644 --- a/integration/testdata/dotnet.json.golden +++ b/integration/testdata/dotnet.json.golden @@ -54,6 +54,9 @@ "CweIDs": [ "CWE-755" ], + "VendorSeverity": { + "ghsa": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", diff --git a/integration/testdata/fluentd-gems.json.golden b/integration/testdata/fluentd-gems.json.golden index f75e6ac6fb..eb24957e0a 100644 --- a/integration/testdata/fluentd-gems.json.golden +++ b/integration/testdata/fluentd-gems.json.golden @@ -133,6 +133,12 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", @@ -195,6 +201,11 @@ "CweIDs": [ "CWE-502" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/fluentd-multiple-lockfiles.json.golden b/integration/testdata/fluentd-multiple-lockfiles.json.golden index a3917f31d7..c067638c8d 100644 --- a/integration/testdata/fluentd-multiple-lockfiles.json.golden +++ b/integration/testdata/fluentd-multiple-lockfiles.json.golden @@ -45,6 +45,15 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "debian": 1, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", @@ -97,6 +106,12 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "nvd": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", @@ -157,6 +172,11 @@ "CweIDs": [ "CWE-502" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/gomod-skip.json.golden b/integration/testdata/gomod-skip.json.golden index a0ad5e7182..8f1e4f643c 100644 --- a/integration/testdata/gomod-skip.json.golden +++ b/integration/testdata/gomod-skip.json.golden @@ -65,6 +65,9 @@ "CweIDs": [ "CWE-682" ], + "VendorSeverity": { + "nvd": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/integration/testdata/gomod.json.golden b/integration/testdata/gomod.json.golden index fb495a8e07..4d553e7ca2 100644 --- a/integration/testdata/gomod.json.golden +++ b/integration/testdata/gomod.json.golden @@ -65,6 +65,9 @@ "CweIDs": [ "CWE-682" ], + "VendorSeverity": { + "nvd": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/integration/testdata/gradle.json.golden b/integration/testdata/gradle.json.golden index 48c2580b8c..9ff2b02aeb 100644 --- a/integration/testdata/gradle.json.golden +++ b/integration/testdata/gradle.json.golden @@ -41,6 +41,11 @@ "CweIDs": [ "CWE-502" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", @@ -97,6 +102,11 @@ "CweIDs": [ "CWE-502" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C", diff --git a/integration/testdata/mariner-1.0.json.golden b/integration/testdata/mariner-1.0.json.golden index 3c9ccbcd50..4b5ac7b736 100644 --- a/integration/testdata/mariner-1.0.json.golden +++ b/integration/testdata/mariner-1.0.json.golden @@ -60,6 +60,9 @@ "CweIDs": [ "CWE-122" ], + "VendorSeverity": { + "cbl-mariner": 3 + }, "References": [ "https://github.com/vim/vim/commit/9f8c304c8a390ade133bac29963dc8e56ab14cbc", "https://huntr.dev/bounties/fa795954-8775-4f23-98c6-d4d4d3fe8a82", @@ -91,6 +94,11 @@ "CweIDs": [ "CWE-122" ], + "VendorSeverity": { + "cbl-mariner": 1, + "nvd": 1, + "redhat": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/minikube-kbom.json.golden b/integration/testdata/minikube-kbom.json.golden index 92215cf7b6..e144904828 100644 --- a/integration/testdata/minikube-kbom.json.golden +++ b/integration/testdata/minikube-kbom.json.golden @@ -48,6 +48,9 @@ "Title": "Bypass of seccomp profile enforcement ", "Description": "A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement...", "Severity": "LOW", + "VendorSeverity": { + "k8s": 1 + }, "CVSS": { "k8s": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N", diff --git a/integration/testdata/mix.lock.json.golden b/integration/testdata/mix.lock.json.golden index b7180404bc..76eb19ece6 100644 --- a/integration/testdata/mix.lock.json.golden +++ b/integration/testdata/mix.lock.json.golden @@ -161,6 +161,9 @@ "Title": "Phoenix before 1.6.14 mishandles check_origin wildcarding", "Description": "socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.", "Severity": "HIGH", + "VendorSeverity": { + "ghsa": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", diff --git a/integration/testdata/npm-with-dev.json.golden b/integration/testdata/npm-with-dev.json.golden index 9ace83bf5b..071bfd18d6 100644 --- a/integration/testdata/npm-with-dev.json.golden +++ b/integration/testdata/npm-with-dev.json.golden @@ -257,6 +257,18 @@ "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "arch-linux": 2, + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ruby-advisory-db": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/integration/testdata/npm.json.golden b/integration/testdata/npm.json.golden index 94dd11ae41..ec19f9d597 100644 --- a/integration/testdata/npm.json.golden +++ b/integration/testdata/npm.json.golden @@ -240,6 +240,18 @@ "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "arch-linux": 2, + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ruby-advisory-db": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/integration/testdata/nuget.json.golden b/integration/testdata/nuget.json.golden index c0285aea95..5027f75894 100644 --- a/integration/testdata/nuget.json.golden +++ b/integration/testdata/nuget.json.golden @@ -71,6 +71,9 @@ "CweIDs": [ "CWE-755" ], + "VendorSeverity": { + "ghsa": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", diff --git a/integration/testdata/opensuse-leap-151.json.golden b/integration/testdata/opensuse-leap-151.json.golden index 5b66db1b58..ed0c29a6d8 100644 --- a/integration/testdata/opensuse-leap-151.json.golden +++ b/integration/testdata/opensuse-leap-151.json.golden @@ -82,6 +82,9 @@ "Title": "Security update for openssl-1_1", "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "Severity": "MEDIUM", + "VendorSeverity": { + "suse-cvrf": 2 + }, "References": [ "https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", "https://www.suse.com/support/security/rating/" @@ -108,6 +111,9 @@ "Title": "Security update for openssl-1_1", "Description": "This update for openssl-1_1 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2019-1551: Fixed an overflow bug in the x64_64 Montgomery squaring procedure used in exponentiation with 512-bit moduli (bsc#1158809). \n\nVarious FIPS related improvements were done:\n\n- FIPS: Backport SSH KDF to openssl (jsc#SLE-8789, bsc#1157775).\n- Port FIPS patches from SLE-12 (bsc#1158101).\n- Use SHA-2 in the RSA pairwise consistency check (bsc#1155346).\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "Severity": "MEDIUM", + "VendorSeverity": { + "suse-cvrf": 2 + }, "References": [ "https://lists.opensuse.org/opensuse-security-announce/2020-01/msg00030.html", "https://www.suse.com/support/security/rating/" diff --git a/integration/testdata/oraclelinux-8.json.golden b/integration/testdata/oraclelinux-8.json.golden index d44fb10ec3..b00634c107 100644 --- a/integration/testdata/oraclelinux-8.json.golden +++ b/integration/testdata/oraclelinux-8.json.golden @@ -86,6 +86,15 @@ "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", @@ -144,6 +153,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 1, + "arch-linux": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 1, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/packagesprops.json.golden b/integration/testdata/packagesprops.json.golden index 132152aaf7..77a6cb03c5 100644 --- a/integration/testdata/packagesprops.json.golden +++ b/integration/testdata/packagesprops.json.golden @@ -50,6 +50,9 @@ "CweIDs": [ "CWE-755" ], + "VendorSeverity": { + "ghsa": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", diff --git a/integration/testdata/photon-30.json.golden b/integration/testdata/photon-30.json.golden index f27af155f4..5a97889fd3 100644 --- a/integration/testdata/photon-30.json.golden +++ b/integration/testdata/photon-30.json.golden @@ -87,6 +87,14 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", @@ -139,6 +147,15 @@ "CweIDs": [ "CWE-415" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 4, + "oracle-oval": 2, + "photon": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", @@ -198,6 +215,15 @@ "CweIDs": [ "CWE-415" ], + "VendorSeverity": { + "amazon": 2, + "arch-linux": 2, + "nvd": 4, + "oracle-oval": 2, + "photon": 4, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/pip.json.golden b/integration/testdata/pip.json.golden index ef4af98f62..60590d12ea 100644 --- a/integration/testdata/pip.json.golden +++ b/integration/testdata/pip.json.golden @@ -78,6 +78,12 @@ "CweIDs": [ "CWE-331" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -125,6 +131,12 @@ "CweIDs": [ "CWE-601" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", diff --git a/integration/testdata/pipenv.json.golden b/integration/testdata/pipenv.json.golden index 507ecfe6a4..f777222788 100644 --- a/integration/testdata/pipenv.json.golden +++ b/integration/testdata/pipenv.json.golden @@ -54,6 +54,12 @@ "CweIDs": [ "CWE-331" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", @@ -101,6 +107,12 @@ "CweIDs": [ "CWE-601" ], + "VendorSeverity": { + "ghsa": 2, + "nvd": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", diff --git a/integration/testdata/pnpm.json.golden b/integration/testdata/pnpm.json.golden index d5001c1758..2f69244be1 100644 --- a/integration/testdata/pnpm.json.golden +++ b/integration/testdata/pnpm.json.golden @@ -42,6 +42,18 @@ "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "arch-linux": 2, + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ruby-advisory-db": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", @@ -156,6 +168,11 @@ "Title": "nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties", "Description": "Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.", "Severity": "CRITICAL", + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P", diff --git a/integration/testdata/poetry.json.golden b/integration/testdata/poetry.json.golden index ac174525bc..26f4085bf9 100644 --- a/integration/testdata/poetry.json.golden +++ b/integration/testdata/poetry.json.golden @@ -66,6 +66,12 @@ "CweIDs": [ "CWE-331" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N", diff --git a/integration/testdata/pom.json.golden b/integration/testdata/pom.json.golden index 249f3c2450..bf8d69f412 100644 --- a/integration/testdata/pom.json.golden +++ b/integration/testdata/pom.json.golden @@ -42,6 +42,11 @@ "CweIDs": [ "CWE-502" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", @@ -99,6 +104,11 @@ "CweIDs": [ "CWE-502" ], + "VendorSeverity": { + "ghsa": 3, + "nvd": 3, + "redhat": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:P/A:C", diff --git a/integration/testdata/pubspec.lock.json.golden b/integration/testdata/pubspec.lock.json.golden index bceade5a9b..a7e76e3153 100644 --- a/integration/testdata/pubspec.lock.json.golden +++ b/integration/testdata/pubspec.lock.json.golden @@ -57,6 +57,9 @@ "CweIDs": [ "CWE-74" ], + "VendorSeverity": { + "ghsa": 2 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", diff --git a/integration/testdata/rockylinux-8.json.golden b/integration/testdata/rockylinux-8.json.golden index 67ecc66b24..c47d694558 100644 --- a/integration/testdata/rockylinux-8.json.golden +++ b/integration/testdata/rockylinux-8.json.golden @@ -76,6 +76,18 @@ "CweIDs": [ "CWE-125" ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "arch-linux": 3, + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 2, + "photon": 3, + "redhat": 2, + "rocky": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:P/I:N/A:P", diff --git a/integration/testdata/spring4shell-jre11.json.golden b/integration/testdata/spring4shell-jre11.json.golden index 1b9d2db688..b6ad22e931 100644 --- a/integration/testdata/spring4shell-jre11.json.golden +++ b/integration/testdata/spring4shell-jre11.json.golden @@ -218,6 +218,11 @@ "CweIDs": [ "CWE-94" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", diff --git a/integration/testdata/spring4shell-jre8.json.golden b/integration/testdata/spring4shell-jre8.json.golden index 13fbc39433..f894c07d65 100644 --- a/integration/testdata/spring4shell-jre8.json.golden +++ b/integration/testdata/spring4shell-jre8.json.golden @@ -218,6 +218,11 @@ "CweIDs": [ "CWE-94" ], + "VendorSeverity": { + "ghsa": 4, + "nvd": 4, + "redhat": 3 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", diff --git a/integration/testdata/swift.json.golden b/integration/testdata/swift.json.golden index 10b004671c..47d1d28504 100644 --- a/integration/testdata/swift.json.golden +++ b/integration/testdata/swift.json.golden @@ -59,6 +59,9 @@ "Title": "SwiftNIO vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')", "Description": "`NIOHTTP1` and projects using it for generating HTTP responses, including SwiftNIO, can be subject to a HTTP Response Injection attack...", "Severity": "MEDIUM", + "VendorSeverity": { + "ghsa": 2 + }, "CVSS": { "ghsa": { "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", diff --git a/integration/testdata/test-repo.json.golden b/integration/testdata/test-repo.json.golden index 4235056228..b98f0e94f0 100644 --- a/integration/testdata/test-repo.json.golden +++ b/integration/testdata/test-repo.json.golden @@ -41,6 +41,9 @@ "CweIDs": [ "CWE-674" ], + "VendorSeverity": { + "nvd": 3 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", @@ -77,6 +80,9 @@ "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "nvd": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/integration/testdata/ubi-7.json.golden b/integration/testdata/ubi-7.json.golden index c2939762b9..2b382d42ed 100644 --- a/integration/testdata/ubi-7.json.golden +++ b/integration/testdata/ubi-7.json.golden @@ -94,6 +94,14 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", diff --git a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden index a35729b41d..8020b35f59 100644 --- a/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden +++ b/integration/testdata/ubuntu-1804-ignore-unfixed.json.golden @@ -96,6 +96,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -154,6 +163,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -212,6 +230,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -270,6 +297,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/ubuntu-1804.json.golden b/integration/testdata/ubuntu-1804.json.golden index 8c8d174674..bbca0359b3 100644 --- a/integration/testdata/ubuntu-1804.json.golden +++ b/integration/testdata/ubuntu-1804.json.golden @@ -95,6 +95,14 @@ "CweIDs": [ "CWE-273" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "oracle-oval": 1, + "photon": 3, + "redhat": 1, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C", @@ -147,6 +155,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -205,6 +222,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -263,6 +289,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", @@ -321,6 +356,15 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "amazon": 2, + "cbl-mariner": 2, + "nvd": 2, + "oracle-oval": 2, + "photon": 2, + "redhat": 2, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V2Vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P", diff --git a/integration/testdata/ubuntu-gp2-x86-vm.json.golden b/integration/testdata/ubuntu-gp2-x86-vm.json.golden index 1ec3c1c860..485dc37125 100644 --- a/integration/testdata/ubuntu-gp2-x86-vm.json.golden +++ b/integration/testdata/ubuntu-gp2-x86-vm.json.golden @@ -40,6 +40,13 @@ "CweIDs": [ "CWE-787" ], + "VendorSeverity": { + "cbl-mariner": 3, + "nvd": 3, + "photon": 3, + "redhat": 1, + "ubuntu": 2 + }, "CVSS": { "nvd": { "V3Vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", diff --git a/integration/testdata/yarn.json.golden b/integration/testdata/yarn.json.golden index 1e90543398..3002b9f9b9 100644 --- a/integration/testdata/yarn.json.golden +++ b/integration/testdata/yarn.json.golden @@ -59,6 +59,18 @@ "CweIDs": [ "CWE-79" ], + "VendorSeverity": { + "alma": 2, + "amazon": 2, + "arch-linux": 2, + "ghsa": 2, + "nodejs-security-wg": 2, + "nvd": 2, + "oracle-oval": 2, + "redhat": 2, + "ruby-advisory-db": 2, + "ubuntu": 1 + }, "CVSS": { "nvd": { "V2Vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", diff --git a/pkg/report/json_test.go b/pkg/report/json_test.go index 850afd0035..ea486c1453 100644 --- a/pkg/report/json_test.go +++ b/pkg/report/json_test.go @@ -55,6 +55,9 @@ func TestReportWriter_JSON(t *testing.T) { Title: "foobar", Description: "baz", Severity: "HIGH", + VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{ + vulnerability.NVD: dbTypes.SeverityHigh, + }, }, }, }, diff --git a/pkg/report/predicate/vuln_test.go b/pkg/report/predicate/vuln_test.go index c574141bfa..a09716b849 100644 --- a/pkg/report/predicate/vuln_test.go +++ b/pkg/report/predicate/vuln_test.go @@ -64,6 +64,9 @@ func TestWriter_Write(t *testing.T) { Title: "foobar", Description: "baz", Severity: "HIGH", + VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{ + vulnerability.NVD: dbTypes.SeverityHigh, + }, }, }, }, diff --git a/pkg/types/report.go b/pkg/types/report.go index c923097ee4..9d01a704a0 100644 --- a/pkg/types/report.go +++ b/pkg/types/report.go @@ -1,7 +1,6 @@ package types import ( - "encoding/json" "time" v1 "github.com/google/go-containerregistry/pkg/v1" // nolint: goimports @@ -114,22 +113,6 @@ type Result struct { CustomResources []ftypes.CustomResource `json:"CustomResources,omitempty"` } -func (r *Result) MarshalJSON() ([]byte, error) { - // VendorSeverity includes all vendor severities. - // It would be noisy to users, so it should be removed from the JSON output. - for i := range r.Vulnerabilities { - r.Vulnerabilities[i].VendorSeverity = nil - } - - // Notice the Alias struct prevents MarshalJSON being called infinitely - type ResultAlias Result - return json.Marshal(&struct { - *ResultAlias - }{ - ResultAlias: (*ResultAlias)(r), - }) -} - func (r *Result) IsEmpty() bool { return len(r.Packages) == 0 && len(r.Vulnerabilities) == 0 && len(r.Misconfigurations) == 0 && len(r.Secrets) == 0 && len(r.Licenses) == 0 && len(r.CustomResources) == 0