Merge pull request #358 from sbs2001/collect_ghsa_severity

Collect ghsa severity

Author: sbs2001

vulnerabilities/importers/github.py

@@ -38,12 +38,13 @@
 from vulnerabilities.data_source import DataSource
 from vulnerabilities.data_source import DataSourceConfiguration
 from vulnerabilities.data_source import Reference
-
+from vulnerabilities.data_source import VulnerabilitySeverity
 from vulnerabilities.package_managers import MavenVersionAPI
 from vulnerabilities.package_managers import NugetVersionAPI
 from vulnerabilities.package_managers import ComposerVersionAPI
 from vulnerabilities.package_managers import PypiVersionAPI
 from vulnerabilities.package_managers import RubyVersionAPI
+from vulnerabilities.severity_systems import scoring_systems
 
 # set of all possible values of first '%s' = {'MAVEN','COMPOSER', 'NUGET', 'RUBYGEMS', 'PYPI'}
 # second '%s' is interesting, it will have the value '' for the first request,
@@ -63,6 +64,7 @@
                 references {
                     url
                 }
+                severity
                 }
                 package {
                 name
@@ -222,9 +224,24 @@ def process_response(self) -> List[Advisory]:
                     vuln_references = self.extract_references(adv["node"]["advisory"]["references"])
                     vuln_desc = adv["node"]["advisory"]["summary"]
 
-                    for vuln in adv["node"]["advisory"]["identifiers"]:
-                        if vuln["type"] == "CVE":
-                            cve_ids.add(vuln["value"])
+                    for identifier in adv["node"]["advisory"]["identifiers"]:
+                        # collect CVEs
+                        if identifier["type"] == "CVE":
+                            cve_ids.add(identifier["value"])
+
+                        # attach the GHSA with severity score
+                        if identifier["type"] == "GHSA":
+                            for ref in vuln_references:
+                                if ref.reference_id == identifier["value"]:
+                                    ref.severities = [
+                                        VulnerabilitySeverity(
+                                            system=scoring_systems["cvssv3.1_qr"],
+                                            value=adv["node"]["advisory"]["severity"]
+                                        )
+                                    ]
+                                    # Each Node has only one GHSA, hence exit after attaching
+                                    # score to this GHSA
+                                    break
 
                     for cve_id in cve_ids:
                         adv_list.append(

vulnerabilities/severity_systems.py

@@ -74,5 +74,11 @@ def as_score(self, value):
         identifier="avgs",
         name="Archlinux Vulnerability Group Severity",
         url="https://wiki.archlinux.org/index.php/Bug_reporting_guidelines#Severity"
+    ),
+    "cvssv3.1_qr": ScoringSystem(
+        identifier="cvssv3.1_qr",
+        name="CVSSv3.1 Qualitative Severity Rating",
+        url="https://www.first.org/cvss/specification-document",
+        notes="A textual interpretation of severity. Has values like HIGH, MODERATE etc"
     )
 }

vulnerabilities/tests/test_data/github_api/response.json

@@ -20,7 +20,8 @@
                 {
                   "url":"https://github.com/advisories/GHSA-qcxh-w3j9-58qr"
                 }
-              ]
+              ],
+              "severity": "MODERATE"
             },
             "package": {
               "name": "org.apache.tomcat.embed:tomcat-embed-core"
@@ -46,7 +47,8 @@
                 {
                   "url":"https://github.com/advisories/GHSA-qcxh-w3j9-58qr"
                 }
-              ]
+              ],
+              "severity": "HIGH"
             },
             "package": {
               "name": "org.apache.tomcat.embed:tomcat-embed-core"
@@ -72,7 +74,8 @@
                 {
                   "url":"https://github.com/advisories/GHSA-c9hw-wf7x-jp9j"
                 }
-              ]
+              ],
+              "severity": "LOW"
             },
             "package": {
               "name": "org.apache.tomcat.embed:tomcat-embed-core"
@@ -98,7 +101,8 @@
                 {
                   "url":"https://github.com/advisories/GHSA-c9hw-wf7x-jp9j"
                 }
-              ]
+              ],
+              "severity": "MODERATE"
             },
             "package": {
               "name": "org.apache.tomcat.embed:tomcat-embed-core"
@@ -124,7 +128,8 @@
                 {
                   "url":"https://github.com/advisories/GHSA-c9hw-wf7x-jp9j"
                 }
-              ]
+              ],
+              "severity": "LOW"
             },
             "package": {
               "name": "org.apache.tomcat.embed:tomcat-embed-core"