From a57c27eeecb59ccf9c13d6b62839c44ba912a2c5 Mon Sep 17 00:00:00 2001
From: Simarpreet Singh <simar@linux.com>
Date: Thu, 21 May 2020 14:22:14 -0700
Subject: [PATCH] vulnerability: Add CVSS Vectors to JSON output. (#484)

* vulnerability: Add CVSS Vectors to JSON output.

Now Trivy will display the CVSS Vectors presented by various
vendors as part of the JSON output. This can be seen as follows:

```
      {
        "VulnerabilityID": "CVE-2019-9923",
        "PkgName": "tar",
        "InstalledVersion": "1.30+dfsg-6",
        "Layer": {
          "Digest": "sha256:90fe46dd819953eb995f9cc9c326130abe9dd0b3993a998e12c01d0218a0b831",
          "DiffID": "sha256:e40d297cf5f89a9822af4c2f63caa2f2085d5aa188137506918e603774b083cb"
        },
        "SeveritySource": "debian",
        "Title": "tar: null-pointer dereference in pax_decode_header in sparse.c",
        "Description": "pax_decode_header in sparse.c in GNU Tar before 1.32 had a NULL pointer dereference when parsing certain archives that have malformed extended headers.",
        "Severity": "LOW",
        "VendorVectors": {
          "nvd": {
            "v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
          },
          "redhat": {
            "v3": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"
          }
        },
        "References": [
          "http://git.savannah.gnu.org/cgit/tar.git/commit/?id=cb07844454d8cc9fb21f53ace75975f91185a120",
          "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00077.html",
          "http://savannah.gnu.org/bugs/?55369",
          "https://bugs.launchpad.net/ubuntu/+source/tar/+bug/1810241"
        ]
      },
```

Signed-off-by: Simarpreet Singh <simar@linux.com>

* mod: Update to latest master of trivy-db

Signed-off-by: Simarpreet Singh <simar@linux.com>

* vulnerability_test: Fix tests for new struct type

Signed-off-by: Simarpreet Singh <simar@linux.com>
---
 go.mod                                  |  2 +-
 go.sum                                  |  6 ++++--
 pkg/vulnerability/vulnerability_test.go | 24 ++++++++++++++++++++++--
 3 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index 8adfa4cc4b..9bc17b4bee 100644
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/aquasecurity/fanal v0.0.0-20200505074551-9239a362deca
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20200430091154-7c0a6e1ad398
+	github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
diff --git a/go.sum b/go.sum
index 60331f18fe..4224b98055 100644
--- a/go.sum
+++ b/go.sum
@@ -49,8 +49,8 @@ github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ul
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a h1:hsw7PpiymXP64evn/K7gsj3hWzMqLrdoeE6JkqDocVg=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=
-github.com/aquasecurity/trivy-db v0.0.0-20200430091154-7c0a6e1ad398 h1:+13ICJ+UlP/1aHZixBv1EdhS+4kTdY0ASJOktnCUOfI=
-github.com/aquasecurity/trivy-db v0.0.0-20200430091154-7c0a6e1ad398/go.mod h1:8mrJtzlmPGWO1uVwPurDrybthyA/eZ7voMO9b54rdRw=
+github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470 h1:6VE+g4AK2uivPqZtVk/QtcCBb2rUjAvKqDNexSgqMC0=
+github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470/go.mod h1:F77bF2nRbcH4EIhhcNEP585MoAKdLpEP3dihF9V1Hbw=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
@@ -460,6 +460,7 @@ golang.org/x/crypto v0.0.0-20180910181607-0e37d006457b/go.mod h1:6SG95UA2DQfeDnf
 golang.org/x/crypto v0.0.0-20181203042331-505ab145d0a9/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20190404164418-38d8ce5564a5/go.mod h1:WFFai1msRO1wXaEeE5yQxYXgSfI8pQAWXbQop6sCtWE=
 golang.org/x/crypto v0.0.0-20190510104115-cbcb75029529/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20190611184440-5c40567a22f8/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
@@ -524,6 +525,7 @@ golang.org/x/sys v0.0.0-20190209173611-3b5209105503/go.mod h1:STP8DvDyc/dI5b8T5h
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190312061237-fead79001313/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190403152447-81d4e9dc473e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
diff --git a/pkg/vulnerability/vulnerability_test.go b/pkg/vulnerability/vulnerability_test.go
index 71f9c28f1c..3ecb85fdad 100644
--- a/pkg/vulnerability/vulnerability_test.go
+++ b/pkg/vulnerability/vulnerability_test.go
@@ -60,7 +60,7 @@ func TestClient_FillInfo(t *testing.T) {
 				vulns: []types.DetectedVulnerability{
 					{VulnerabilityID: "CVE-2019-0001"},
 				},
-				reportType: vulnerability.Ubuntu,
+				reportType: vulnerability.RedHat,
 			},
 			expectedVulnerabilities: []types.DetectedVulnerability{
 				{
@@ -146,7 +146,7 @@ func TestClient_FillInfo(t *testing.T) {
 			},
 		},
 		{
-			name: "happy path, with only OS vulnerability, yes vendor severity",
+			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and vendor vectors",
 			getVulnerability: []db.GetVulnerabilityExpectation{
 				{
 					Args: db.GetVulnerabilityArgs{
@@ -160,6 +160,16 @@ func TestClient_FillInfo(t *testing.T) {
 							VendorSeverity: dbTypes.VendorSeverity{
 								vulnerability.RedHat: dbTypes.SeverityLow, // CentOS uses RedHat
 							},
+							VendorVectors: map[string]dbTypes.CVSSVector{
+								vulnerability.Nvd: {
+									V2: "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+									V3: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								},
+								vulnerability.RedHat: {
+									V2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+									V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								},
+							},
 							References: []string{"http://example.com"},
 						},
 					},
@@ -179,6 +189,16 @@ func TestClient_FillInfo(t *testing.T) {
 						Description: "dos vulnerability",
 						Severity:    dbTypes.SeverityLow.String(),
 						References:  []string{"http://example.com"},
+						VendorVectors: map[string]dbTypes.CVSSVector{
+							vulnerability.Nvd: {
+								V2: "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+								V3: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+							},
+							vulnerability.RedHat: {
+								V2: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+								V3: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+							},
+						},
 					},
 					SeveritySource: vulnerability.RedHat,
 				},