db: Update trivy-db to include CVSS score info (#530)

* mod: Update trivy-db to include CVSS score info Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Update go.mod Signed-off-by: Simarpreet Singh <simar@linux.com> * mod: Update trivy-db to latest Signed-off-by: Simarpreet Singh <simar@linux.com>
2025-12-22 07:10:41 -08:00 · 2020-07-07 08:16:42 -07:00
parent 4b57c0d4e6
commit d18d17b861
3 changed files with 71 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20200616161554-cd5b3da29bc8
+	github.com/aquasecurity/trivy-db v0.0.0-20200702223044-f0f6ca684644
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
--- a/go.sum
+++ b/go.sum
@@ -52,8 +52,8 @@ github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ul
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a h1:hsw7PpiymXP64evn/K7gsj3hWzMqLrdoeE6JkqDocVg=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=
-github.com/aquasecurity/trivy-db v0.0.0-20200616161554-cd5b3da29bc8 h1:PvRcn3v8lpccqmEEzmJmXrm47ag47OCt8ui+9APi4hA=
-github.com/aquasecurity/trivy-db v0.0.0-20200616161554-cd5b3da29bc8/go.mod h1:EiFA908RL0ACrbYo/9HfT7f9QcdC2bZoIO5XAAcvz9A=
+github.com/aquasecurity/trivy-db v0.0.0-20200702223044-f0f6ca684644 h1:cqYzeXGz/K0kCIIFa2uYe1vrc3ImoA45kDarAo5dz3Y=
+github.com/aquasecurity/trivy-db v0.0.0-20200702223044-f0f6ca684644/go.mod h1:EiFA908RL0ACrbYo/9HfT7f9QcdC2bZoIO5XAAcvz9A=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
--- a/pkg/vulnerability/vulnerability_test.go
+++ b/pkg/vulnerability/vulnerability_test.go
@@ -146,7 +146,74 @@ func TestClient_FillInfo(t *testing.T) {
 			},
 		},
 		{
-			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and vendor vectors",
+			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and CVSS info",
+			getVulnerability: []db.GetVulnerabilityExpectation{
+				{
+					Args: db.GetVulnerabilityArgs{
+						VulnerabilityID: "CVE-2019-0001",
+					},
+					Returns: db.GetVulnerabilityReturns{
+						Vulnerability: dbTypes.Vulnerability{
+							Title:       "dos",
+							Description: "dos vulnerability",
+							Severity:    dbTypes.SeverityMedium.String(),
+							VendorSeverity: dbTypes.VendorSeverity{
+								vulnerability.RedHat: dbTypes.SeverityLow, // CentOS uses RedHat
+							},
+							CVSS: map[string]dbTypes.CVSS{
+								vulnerability.Nvd: {
+									V2Vector: "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+									V2Score:  4.5,
+									V3Vector: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+									V3Score:  5.6,
+								},
+								vulnerability.RedHat: {
+									V2Vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+									V2Score:  7.8,
+									V3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+									V3Score:  9.8,
+								},
+							},
+							References: []string{"http://example.com"},
+						},
+					},
+				},
+			},
+			args: args{
+				vulns: []types.DetectedVulnerability{
+					{VulnerabilityID: "CVE-2019-0001"},
+				},
+				reportType: vulnerability.CentOS,
+			},
+			expectedVulnerabilities: []types.DetectedVulnerability{
+				{
+					VulnerabilityID: "CVE-2019-0001",
+					Vulnerability: dbTypes.Vulnerability{
+						Title:       "dos",
+						Description: "dos vulnerability",
+						Severity:    dbTypes.SeverityLow.String(),
+						References:  []string{"http://example.com"},
+						CVSS: map[string]dbTypes.CVSS{
+							vulnerability.Nvd: {
+								V2Vector: "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+								V2Score:  4.5,
+								V3Vector: "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								V3Score:  5.6,
+							},
+							vulnerability.RedHat: {
+								V2Vector: "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+								V2Score:  7.8,
+								V3Vector: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								V3Score:  9.8,
+							},
+						},
+					},
+					SeveritySource: vulnerability.RedHat,
+				},
+			},
+		},
+		{
+			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and deprecated vendor vectors",
 			getVulnerability: []db.GetVulnerabilityExpectation{
 				{
 					Args: db.GetVulnerabilityArgs{