More complete severity parsing for v6 DBs (#2431)

* more complete severity parsing

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* update rounding to cvss spec

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

* enforce severity string case

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

---------

Signed-off-by: Alex Goodman <wagoodman@users.noreply.github.com>

Author: wagoodman

go.mod

@@ -51,6 +51,7 @@ require (
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/openvex/go-vex v0.2.5
 	github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554
+	github.com/pandatix/go-cvss v0.6.2
 	// pinned to pull in 386 arch fix: https://github.com/scylladb/go-set/commit/cc7b2070d91ebf40d233207b633e28f5bd8f03a5
 	github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e
 	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3

go.sum

@@ -1346,6 +1346,8 @@ github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554 h1:FvA4bwjKp
 github.com/owenrumney/go-sarif v1.1.2-0.20231003122901-1000f5e05554/go.mod h1:n73K/hcuJ50MiVznXyN4rde6fZY7naGKWBXOLFTyc94=
 github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
 github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
+github.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI=
+github.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM=

grype/db/v6/blobs.go

@@ -92,17 +92,14 @@ type CVSSSeverity struct {
 
 	// Version is the CVSS version (e.g. "3.0")
 	Version string `json:"version,omitempty"`
-
-	// Score is the evaluated CVSS vector as a scalar between 0 and 10
-	Score float64 `json:"score"`
 }
 
 func (c CVSSSeverity) String() string {
 	vector := c.Vector
 	if !strings.HasPrefix(strings.ToLower(c.Vector), "cvss:") && c.Version != "" {
 		vector = fmt.Sprintf("CVSS:%s/%s", c.Version, c.Vector)
 	}
-	return fmt.Sprintf("%s (%1.1f)", vector, c.Score)
+	return vector
 }
 
 // AffectedPackageBlob represents a package affected by a vulnerability.

grype/db/v6/cvss.go

@@ -0,0 +1,199 @@
+package v6
+
+import (
+	"fmt"
+	"math"
+	"strings"
+
+	gocvss20 "github.com/pandatix/go-cvss/20"
+	gocvss30 "github.com/pandatix/go-cvss/30"
+	gocvss31 "github.com/pandatix/go-cvss/31"
+	gocvss40 "github.com/pandatix/go-cvss/40"
+
+	"github.com/anchore/grype/grype/vulnerability"
+	"github.com/anchore/grype/internal/log"
+)
+
+func extractSeverities(vuln *VulnerabilityHandle) (vulnerability.Severity, []vulnerability.Cvss, error) {
+	if vuln.BlobValue == nil {
+		return vulnerability.UnknownSeverity, nil, nil
+	}
+	sev := vulnerability.UnknownSeverity
+	if len(vuln.BlobValue.Severities) > 0 {
+		var err error
+		// grype DB v6+ will order the set of severities by rank, so we can just take the first one
+		sev, err = extractSeverity(vuln.BlobValue.Severities[0].Value)
+		if err != nil {
+			return vulnerability.UnknownSeverity, nil, fmt.Errorf("unable to extract severity: %w", err)
+		}
+	}
+	return sev, toCvss(vuln.BlobValue.Severities...), nil
+}
+
+func extractSeverity(severity any) (vulnerability.Severity, error) {
+	switch sev := severity.(type) {
+	case string:
+		return vulnerability.ParseSeverity(sev), nil
+	case CVSSSeverity:
+		metrics, err := parseCVSS(sev.Vector)
+		if err != nil {
+			return vulnerability.UnknownSeverity, fmt.Errorf("unable to parse CVSS vector: %w", err)
+		}
+		if metrics == nil {
+			return vulnerability.UnknownSeverity, nil
+		}
+		return interpretCVSS(metrics.BaseScore, sev.Version), nil
+	default:
+		return vulnerability.UnknownSeverity, nil
+	}
+}
+
+func parseCVSS(vector string) (*vulnerability.CvssMetrics, error) {
+	switch {
+	case strings.HasPrefix(vector, "CVSS:3.0"):
+		cvss, err := gocvss30.ParseVector(vector)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse CVSS v3 vector: %w", err)
+		}
+		ex := roundScore(cvss.Exploitability())
+		im := roundScore(cvss.Impact())
+		return &vulnerability.CvssMetrics{
+			BaseScore:           roundScore(cvss.BaseScore()),
+			ExploitabilityScore: &ex,
+			ImpactScore:         &im,
+		}, nil
+	case strings.HasPrefix(vector, "CVSS:3.1"):
+		cvss, err := gocvss31.ParseVector(vector)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse CVSS v3.1 vector: %w", err)
+		}
+		ex := roundScore(cvss.Exploitability())
+		im := roundScore(cvss.Impact())
+		return &vulnerability.CvssMetrics{
+			BaseScore:           roundScore(cvss.BaseScore()),
+			ExploitabilityScore: &ex,
+			ImpactScore:         &im,
+		}, nil
+	case strings.HasPrefix(vector, "CVSS:4.0"):
+		cvss, err := gocvss40.ParseVector(vector)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse CVSS v4.0 vector: %w", err)
+		}
+		// there are no exploitability and impact scores in CVSS v4.0
+		return &vulnerability.CvssMetrics{
+			BaseScore: roundScore(cvss.Score()),
+		}, nil
+	default:
+		// should be CVSS v2.0 or is invalid
+		cvss, err := gocvss20.ParseVector(vector)
+		if err != nil {
+			return nil, fmt.Errorf("unable to parse CVSS v2 vector: %w", err)
+		}
+		ex := roundScore(cvss.Exploitability())
+		im := roundScore(cvss.Impact())
+		return &vulnerability.CvssMetrics{
+			BaseScore:           roundScore(cvss.BaseScore()),
+			ExploitabilityScore: &ex,
+			ImpactScore:         &im,
+		}, nil
+	}
+}
+
+// roundScore rounds the score to the nearest tenth based on first.org rounding rules
+// see https://www.first.org/cvss/v3.1/specification-document#Appendix-A---Floating-Point-Rounding
+func roundScore(score float64) float64 {
+	intInput := int(math.Round(score * 100000))
+	if intInput%10000 == 0 {
+		return float64(intInput) / 100000.0
+	}
+	return (math.Floor(float64(intInput)/10000.0) + 1) / 10.0
+}
+
+func interpretCVSS(score float64, version string) vulnerability.Severity {
+	switch version {
+	case "2.0":
+		return interpretCVSSv2(score)
+	case "3.0", "3.1", "4.0":
+		return interpretCVSSv3Plus(score)
+	default:
+		return vulnerability.UnknownSeverity
+	}
+}
+
+func interpretCVSSv2(score float64) vulnerability.Severity {
+	if score < 0 {
+		return vulnerability.UnknownSeverity
+	}
+	if score == 0 {
+		return vulnerability.NegligibleSeverity
+	}
+	if score < 4.0 {
+		return vulnerability.LowSeverity
+	}
+	if score < 7.0 {
+		return vulnerability.MediumSeverity
+	}
+	if score <= 10.0 {
+		return vulnerability.HighSeverity
+	}
+	return vulnerability.UnknownSeverity
+}
+
+func interpretCVSSv3Plus(score float64) vulnerability.Severity {
+	if score < 0 {
+		return vulnerability.UnknownSeverity
+	}
+	if score == 0 {
+		return vulnerability.NegligibleSeverity
+	}
+	if score < 4.0 {
+		return vulnerability.LowSeverity
+	}
+	if score < 7.0 {
+		return vulnerability.MediumSeverity
+	}
+	if score < 9.0 {
+		return vulnerability.HighSeverity
+	}
+	if score <= 10.0 {
+		return vulnerability.CriticalSeverity
+	}
+	return vulnerability.UnknownSeverity
+}
+
+func toCvss(severities ...Severity) []vulnerability.Cvss {
+	//nolint:prealloc
+	var out []vulnerability.Cvss
+	for _, sev := range severities {
+		switch sev.Scheme {
+		case SeveritySchemeCVSS:
+		default:
+			// not a CVSS score
+			continue
+		}
+		cvssSev, ok := sev.Value.(CVSSSeverity)
+		if !ok {
+			// not a CVSS score
+			continue
+		}
+		var usedMetrics vulnerability.CvssMetrics
+		// though the DB has the base score, we parse the vector for all metrics
+		metrics, err := parseCVSS(cvssSev.Vector)
+		if err != nil {
+			log.WithFields("vector", cvssSev.Vector, "error", err).Warn("unable to parse CVSS vector")
+			continue
+		}
+		if metrics != nil {
+			usedMetrics = *metrics
+		}
+
+		out = append(out, vulnerability.Cvss{
+			Source:  sev.Source,
+			Type:    string(sev.Scheme),
+			Version: cvssSev.Version,
+			Vector:  cvssSev.Vector,
+			Metrics: usedMetrics,
+		})
+	}
+	return out
+}