mod: Update trivy-db to include CVSS score info

Signed-off-by: Simarpreet Singh <simar@linux.com>
aquasecurity · Jun 11, 2020 · 74912ec · 74912ec
1 parent 25d45e1
commit 74912ec
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 4 deletions.
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/aquasecurity/fanal v0.0.0-20200528202907-79693bf4a058
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470
+	github.com/aquasecurity/trivy-db v0.0.0-20200611233630-febb18e734ec
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3

diff --git a/go.sum b/go.sum
@@ -52,8 +52,8 @@ github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ul
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a h1:hsw7PpiymXP64evn/K7gsj3hWzMqLrdoeE6JkqDocVg=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=
-github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470 h1:6VE+g4AK2uivPqZtVk/QtcCBb2rUjAvKqDNexSgqMC0=
-github.com/aquasecurity/trivy-db v0.0.0-20200514134639-7e57e3e02470/go.mod h1:F77bF2nRbcH4EIhhcNEP585MoAKdLpEP3dihF9V1Hbw=
+github.com/aquasecurity/trivy-db v0.0.0-20200611233630-febb18e734ec h1:T3Up06ICfgDcJnuxWsdW9jhcCLUHQ0s3FcYOXzreXb0=
+github.com/aquasecurity/trivy-db v0.0.0-20200611233630-febb18e734ec/go.mod h1:F77bF2nRbcH4EIhhcNEP585MoAKdLpEP3dihF9V1Hbw=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=

diff --git a/pkg/vulnerability/vulnerability_test.go b/pkg/vulnerability/vulnerability_test.go
@@ -146,7 +146,74 @@ func TestClient_FillInfo(t *testing.T) {
 			},
 		},
 		{
-			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and vendor vectors",
+			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and CVSS info",
+			getVulnerability: []db.GetVulnerabilityExpectation{
+				{
+					Args: db.GetVulnerabilityArgs{
+						VulnerabilityID: "CVE-2019-0001",
+					},
+					Returns: db.GetVulnerabilityReturns{
+						Vulnerability: dbTypes.Vulnerability{
+							Title:       "dos",
+							Description: "dos vulnerability",
+							Severity:    dbTypes.SeverityMedium.String(),
+							VendorSeverity: dbTypes.VendorSeverity{
+								vulnerability.RedHat: dbTypes.SeverityLow, // CentOS uses RedHat
+							},
+							CVSS: map[string]dbTypes.CVSS{
+								vulnerability.Nvd: {
+									V2:      "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+									V2Score: 4.5,
+									V3:      "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+									V3Score: 5.6,
+								},
+								vulnerability.RedHat: {
+									V2:      "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+									V2Score: 7.8,
+									V3:      "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+									V3Score: 9.8,
+								},
+							},
+							References: []string{"http://example.com"},
+						},
+					},
+				},
+			},
+			args: args{
+				vulns: []types.DetectedVulnerability{
+					{VulnerabilityID: "CVE-2019-0001"},
+				},
+				reportType: vulnerability.CentOS,
+			},
+			expectedVulnerabilities: []types.DetectedVulnerability{
+				{
+					VulnerabilityID: "CVE-2019-0001",
+					Vulnerability: dbTypes.Vulnerability{
+						Title:       "dos",
+						Description: "dos vulnerability",
+						Severity:    dbTypes.SeverityLow.String(),
+						References:  []string{"http://example.com"},
+						CVSS: map[string]dbTypes.CVSS{
+							vulnerability.Nvd: {
+								V2:      "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+								V2Score: 4.5,
+								V3:      "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								V3Score: 5.6,
+							},
+							vulnerability.RedHat: {
+								V2:      "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+								V2Score: 7.8,
+								V3:      "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								V3Score: 9.8,
+							},
+						},
+					},
+					SeveritySource: vulnerability.RedHat,
+				},
+			},
+		},
+		{
+			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and deprecated vendor vectors",
 			getVulnerability: []db.GetVulnerabilityExpectation{
 				{
 					Args: db.GetVulnerabilityArgs{