Improve severity rating consistency (#112)

* fix severity rating mismatch

* temporarily add a test workflow

* Fix type issue: float provided, expected string

* Rename workflow / job name

* Add severity comparison logic

* Revise severity sorting and selection logic

* return default values on error

* skip EPSS ratings for severity column

* debugging unknown ratings

* fix ratings with unknown name

* Verify AMAZON_INSPECTOR renders correctly

* fix failing test

* temporarily disable failing tests

* pass unit test: test_parse_inspector_scan_result

* pass unit tests

* change '-f' to '--failfast' for clarity

* Remove unused type cast

* refactor csv test

* severity is rendered as 'other' not 'unknown'

* test build on all actions

* normalize dockerfile findings severity rating

* debugging dockerfile severity

* debugging

* Normalize Dockerfile severity 'info' to 'other'

* restore test actions

* minor comment update

* Remove develop workflow

* Address PR feedback

* test workflows against refactor

* handle edge case CVE-2025-22871

* fix missing severity edge case

* debugging epss

* debugging

* fix flawed test

* added test case for absent severity rating

* revert workflows to v1

---------

Co-authored-by: Michael Long <mlongii@amazon.com>

Author: bluesentinelsec

Makefile

@@ -3,9 +3,17 @@ run:
 	docker run -it inspector-action:latest
 
 test:
-	cd entrypoint; python3 -m unittest discover -v -s ./
+	cd entrypoint; python3 -m unittest discover --failfast -v -s ./
 
 coverage:
 	cd entrypoint && \
 	coverage run -m unittest discover -v -s ./ && \
 	coverage report
+
+clean:
+	rm -rf entrypoint/inspector-dockerfile-scan.csv \
+		entrypoint/inspector-dockerfile-scan.md \
+		entrypoint/inspector-scan.csv \
+		entrypoint/inspector-scan.json \
+		entrypoint/inspector-scan.md \
+		entrypoint/sbom.json \

entrypoint/entrypoint/dockerfile.py

@@ -1,8 +1,6 @@
 import json
 import logging
 
-from typing import List
-
 
 class DockerfileVulnerability:
     def __int__(self):
@@ -179,6 +177,9 @@ def get_severity(rating):
         logging.error(f"expected severity in rating object but it was not found: {rating}")
         return None
 
+    if severity.upper() in {"INFO", "INFORMATIONAL"}:
+        severity = "other"
+
     return severity
 
 
@@ -263,10 +264,12 @@ def get_markdown_header() -> str:
     s += "|---|---|---|---|---|\n"
     return s
 
+
 def get_markdown_header_no_vulns() -> str:
     s = "## Dockerfile Findings\n"
     return s
 
+
 def get_dockerfile_vulns(inspector_scan_path):
     vuln_objects = []
     inspector_scan_json = []

entrypoint/entrypoint/pkg_vuln.py

@@ -4,6 +4,7 @@
 to different formats (CSV and markdown).
 """
 
+import enum
 import logging
 import urllib.parse
 from dataclasses import dataclass
@@ -22,6 +23,10 @@ class CvssSourceProvider:
     AMAZON_INSPECTOR = "AMAZON_INSPECTOR"
     DEFAULT_PROVIDER = NVD
 
+
+empty_rating = {"score": 0.0, "source": {"name": "in triage"}, "severity": "other", "method": "other"}
+
+
 def get_rating_providers():
     """
     get_rating_providers returns a list of vulnerability
@@ -42,8 +47,8 @@ def get_rating_providers():
                  ]
     return providers
 
+
 class CvssSeverity:
-    UNTRIAGED = "untriaged"
     UNKNOWN = "unknown"
 
 
@@ -74,7 +79,7 @@ class Vulnerability:
 
 @dataclass
 class CvssRating:
-    severity: str = CvssSeverity.UNTRIAGED
+    severity: str = CvssSeverity.UNKNOWN
     provider: str = CvssSourceProvider.DEFAULT_PROVIDER
     cvss_score: str = NULL_STR
 
@@ -109,7 +114,12 @@ def parse_inspector_scan_result(inspector_scan_json) -> List[Vulnerability]:
     pkg_vulns = get_pkg_vulns(vulns)
 
     for v in pkg_vulns:
-        vuln_obj = convert_package_vuln_to_vuln_obj(v, components)
+        vuln_obj = None
+        try:
+            vuln_obj = convert_package_vuln_to_vuln_obj(v, components)
+        except Exception as e:
+            logging.error(f"error encountered while parsing a vulnerability: {e}")
+            continue
         vuln_list.append(vuln_obj)
 
     return vuln_list
@@ -143,7 +153,7 @@ def convert_package_vuln_to_vuln_obj(v, components) -> Vulnerability:
     vuln_obj.published = v.get("created", NULL_STR)
     vuln_obj.modified = v.get("updated", NULL_STR)
 
-    ratings = v.get("ratings")
+    ratings = v.get("ratings", [empty_rating])
     add_ratings(ratings, vuln_obj)
 
     description = v.get("description")
@@ -168,10 +178,7 @@ def convert_package_vuln_to_vuln_obj(v, components) -> Vulnerability:
 
 
 def add_ratings(ratings, vulnerability):
-    if ratings is None:
-        return
-
-    rating = get_cvss_rating(ratings, vulnerability)
+    rating = get_highest_severity_rating(ratings)
     vulnerability.severity = rating.severity
     vulnerability.severity_provider = rating.provider
     vulnerability.cvss_score = rating.cvss_score
@@ -276,22 +283,6 @@ def get_cwes(v) -> str:
     return cwe_str
 
 
-def get_cvss_rating(ratings, vulnerability) -> CvssRating:
-    rating_provider_priority = get_rating_providers()
-    for provider in rating_provider_priority:
-        for rating in ratings:
-            if rating["source"]["name"] != provider:
-                continue
-
-            severity = CvssSeverity.UNTRIAGED if rating["severity"] == CvssSeverity.UNKNOWN else rating["severity"]
-            cvss_score = str(rating["score"]) if rating["method"] == "CVSSv31" else "null"
-            if severity and cvss_score:
-                return CvssRating(severity=severity, provider=provider, cvss_score=cvss_score)
-
-    logging.info(f"No CVSS rating is provided for {vulnerability.vuln_id}")
-    return CvssRating()
-
-
 def get_epss_score(ratings):
     for rating in ratings:
         source = rating.get("source")
@@ -320,3 +311,126 @@ def combine_str_list_into_one_str(str_list: list[str]) -> str:
     if str_element == "":
         str_element = NULL_STR
     return str_element
+
+
+def get_highest_severity_rating(ratings) -> CvssRating:
+    method = get_preferred_vuln_rating_method(ratings)
+    most_severe_rating = get_highest_rating_by_method(method, ratings)
+    cvss = CvssRating()
+    cvss.provider = most_severe_rating["source"]["name"]
+    cvss.severity = most_severe_rating["severity"]
+    if "unknown" in cvss.severity:
+        cvss.severity = "other"
+    cvss.cvss_score = str(most_severe_rating.get("score", 0.0))
+    return cvss
+
+
+class VulnRatingMethod(enum.Enum):
+    CVSSv2 = "CVSSv2"
+    CVSSv3 = "CVSSv3"
+    CVSSv31 = "CVSSv31"
+    CVSSv4 = "CVSSv4"
+    OWASP = "OWASP"
+    SSVC = "SSVC"
+    OTHER = "other"
+
+
+def get_preferred_vuln_rating_method(ratings):
+    if ratings is None:
+        return VulnRatingMethod.OTHER
+
+    found_methods = []
+
+    for rating in ratings:
+        if not rating:
+            continue
+
+        method = rating.get("method", "")
+        if not method:
+            continue
+
+        # we keep a list of each rating method in the
+        # vulnerability so we can present the highest rating
+        # to the end user
+        if method == VulnRatingMethod.CVSSv4.value:
+            found_methods.append(VulnRatingMethod.CVSSv4)
+        elif method == VulnRatingMethod.CVSSv31.value:
+            found_methods.append(VulnRatingMethod.CVSSv31)
+        elif method == VulnRatingMethod.CVSSv3.value:
+            found_methods.append(VulnRatingMethod.CVSSv3)
+        elif method == VulnRatingMethod.CVSSv2.value:
+            found_methods.append(VulnRatingMethod.CVSSv2)
+        elif method == VulnRatingMethod.OWASP.value:
+            found_methods.append(VulnRatingMethod.OWASP)
+        elif method == VulnRatingMethod.SSVC.value:
+            found_methods.append(VulnRatingMethod.SSVC)
+        elif method == VulnRatingMethod.OTHER.value:
+            found_methods.append(VulnRatingMethod.OTHER)
+        else:
+            logging.error(f"Expected a spec-conforming CycloneDX vulnerability rating method, but received '{method}'")
+            continue
+
+    # select method to display to user in priority order
+    rating_method_priority = [VulnRatingMethod.CVSSv4, VulnRatingMethod.CVSSv31, VulnRatingMethod.CVSSv3,
+                              VulnRatingMethod.CVSSv2, VulnRatingMethod.OWASP, VulnRatingMethod.SSVC]
+    for rating_method in rating_method_priority:
+        if rating_method in found_methods:
+            return rating_method
+    return VulnRatingMethod.OTHER
+
+
+def get_highest_rating_by_method(method: VulnRatingMethod, ratings):
+    if not ratings:
+        return empty_rating
+
+    ratings_with_same_method = []
+    for rating in ratings:
+        if not rating:
+            continue
+
+        a_method = rating.get("method", "")
+        if not method:
+            continue
+
+        if is_epss(a_method, rating):
+            continue
+
+        if a_method == method.value:
+            ratings_with_same_method.append(rating)
+
+    highest_rating = empty_rating
+    for rating in ratings_with_same_method:
+
+        score = rating.get("score", 0.0)
+        try:
+            score = float(score)
+        except Exception as e:
+            logging.error(f"threw exception while trying to convert severity score, '{score}' to type float: {e}")
+            continue
+
+        if score >= highest_rating["score"]:
+            highest_rating = rating
+
+
+    return highest_rating
+
+
+def is_epss(method, rating):
+    if not rating:
+        return False
+
+    if method != VulnRatingMethod.OTHER.value:
+        return False
+
+    source = rating.get("source", "")
+    if not source:
+        return False
+
+    name = source.get("name", "")
+    if not name:
+        return False
+
+    if name.lower() == "EPSS".lower():
+        return True
+
+    return False

entrypoint/tests/test_data/test_pkg_vuln/inspector-scan-cdx-empty-vulnerability.json

@@ -27,7 +27,7 @@
                         "method": "CVSSv31",
                         "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
                         "source": {
-                            "name": "OTHER_PROVIDER"
+                            "name": "other"
                         }
                     }
                 ],
@@ -48,4 +48,4 @@
             }
         ]
     }
-}
+}