severity and cvss metrics support.

Author: chen-keinan

client/client_test.go

@@ -19,13 +19,13 @@ import (
 
 var testVuln1 string = `[
 	{"ID":"ID1","Package":{"Name":"golang.org/example/one","Ecosystem":"go"}, "Summary":"",
-	 "Severity":2,"Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.2.0"}]},
+	 "Severity":"High","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.2.0"}]},
 	 "ecosystem_specific":{"Symbols":["some_symbol_1"]
 	}}]`
 
 var testVuln2 string = `[
 	{"ID":"ID2","Package":{"Name":"golang.org/example/two","Ecosystem":"go"}, "Summary":"",
-	 "Severity":2,"Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.1.0"}]},
+	 "Severity":"High","Affects":{"Ranges":[{"Type":"SEMVER","Introduced":"","Fixed":"v2.1.0"}]},
 	 "ecosystem_specific":{"Symbols":["some_symbol_2"]
 	}}]`
 

osv/json.go

@@ -122,6 +122,7 @@ type Entry struct {
 	ID                string      `json:"id"`
 	Published         time.Time   `json:"published"`
 	Modified          time.Time   `json:"modified"`
+	Severity          string      `json:"severity,omitempty"`
 	Withdrawn         *time.Time  `json:"withdrawn,omitempty"`
 	Aliases           []string    `json:"aliases,omitempty"`
 	Package           Package     `json:"package"`
@@ -144,6 +145,7 @@ func Generate(id string, url string, r report.Report) []Entry {
 		ID:        id,
 		Published: r.Published,
 		Modified:  lastModified,
+		Severity:  report.CvssScoreToSeverity(r.CVEMetadata.CVSSMeta),
 		Withdrawn: r.Withdrawn,
 		Package: Package{
 			Name:      importPath,

osv/json_test.go

@@ -43,6 +43,7 @@ func TestGenerate(t *testing.T) {
 			Commit:  "commit",
 			Context: []string{"issue-a", "issue-b"},
 		},
+		CVEMetadata:&report.CVEMeta{ID: "CVE-2020-1234"},
 	}
 
 	want := []Entry{

report/report.go

@@ -27,7 +27,13 @@ type Links struct {
 type CVEMeta struct {
 	ID          string `yaml:",omitempty"`
 	CWE         string `yaml:",omitempty"`
-	Description string `yaml:",omitempty"`
+ 	Description string `yaml:",omitempty"`
+	CVSSMeta    *CVSS   `yaml:",omitempty"`
+}
+type CVSS struct {
+	Version   string  `yaml:",omitempty"`
+	BaseScore float32 `yaml:",omitempty"`
+	Vector    string  `yaml:",omitempty"`
 }
 
 type Report struct {
@@ -59,3 +65,4 @@ type Report struct {
 	Links              Links          `yaml:",omitempty"`
 	CVEMetadata        *CVEMeta       `yaml:"cve_metadata,omitempty"`
 }
+

report/utils.go

@@ -0,0 +1,47 @@
+package report
+
+//CvssScoreToSeverity calculate severity by cvss version and score
+//accept cvss version and score , return severity
+func CvssScoreToSeverity(cvss *CVSS) string {
+	if cvss == nil {
+		return ""
+	}
+	switch cvss.Version {
+	case "v2":
+		return cvssV2SeverityByScore(cvss.BaseScore)
+	case "v3":
+		return cvssV3SeverityByScore(cvss.BaseScore)
+	default:
+		return ""
+	}
+}
+
+func cvssV3SeverityByScore(score float32) string {
+	switch {
+	case score == 0.0:
+		return "None"
+	case score >= 0.1 && score <= 3.9:
+		return "Low"
+	case score >= 4.0 && score <= 6.9:
+		return "Medium"
+	case score >= 7.0 && score <= 8.9:
+		return "High"
+	case score >= 9.0 && score <= 10.0:
+		return "Critical"
+	default:
+		return ""
+	}
+}
+
+func cvssV2SeverityByScore(score float32) string {
+	switch {
+	case score >= 0.0 && score <= 3.9:
+		return "Low"
+	case score >= 4.0 && score <= 6.9:
+		return "Medium"
+	case score >= 7.0 && score <= 10.0:
+		return "High"
+	default:
+		return "None"
+	}
+}

report/utils_test.go

@@ -0,0 +1,31 @@
+package report
+
+import "testing"
+
+func TestReverseString1(t *testing.T) {
+	tests := []struct {
+		name      string
+		version   string
+		baseScore float32
+		want      string
+	}{
+		{name: "Low v2", version: "v2", baseScore: 1.0, want: "Low"},
+		{name: "Medium v2", version: "v2", baseScore: 4.0, want: "Medium"},
+		{name: "High v2", version: "v2", baseScore: 7.0, want: "High"},
+		{name: "Non Existing score v2", version: "v2", baseScore: 12.0, want: ""},
+		{name: "None v3", version: "v3", baseScore: 0.0, want: "None"},
+		{name: "low v3", version: "v3", baseScore: 1.0, want: "Low"},
+		{name: "Medium v3", version: "v3", baseScore: 4.0, want: "Medium"},
+		{name: "High v3", version: "v3", baseScore: 7.0, want: "High"},
+		{name: "Critical v3", version: "v3", baseScore: 9.0, want: "Critical"},
+		{name: "Non Existing score v3", version: "v3", baseScore: 12.0, want: ""},
+		{name: "Non existing version", version: "v1", baseScore: 9.0, want: ""},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := CvssScoreToSeverity(&CVSS{Version: tt.version, BaseScore: tt.baseScore}); got != tt.want {
+				t.Errorf("CvssScoreToSeverity() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}