pull in v6 severity updates (#490)

Signed-off-by: Alex Goodman <[email protected]>
anchore · Feb 11, 2025 · bfe8b39 · bfe8b39
1 parent d0fd9f7
commit bfe8b39
Show file tree

Hide file tree

Showing 12 changed files with 26 additions and 65 deletions.
diff --git a/cmd/grype-db/application/build_info.go b/cmd/grype-db/application/build_info.go
@@ -5,7 +5,7 @@ import (
 	"runtime"
 	"runtime/debug"
 
-	grypeDB "github.com/anchore/grype/grype/db/v3"
+	grypeDB "github.com/anchore/grype/grype/db"
 )
 
 const valueNotProvided = "[not provided]"

diff --git a/go.mod b/go.mod
@@ -8,7 +8,7 @@ require (
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d
 	github.com/adrg/xdg v0.5.3
 	github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a
-	github.com/anchore/grype v0.87.1-0.20250211002517-d34edf67c1db
+	github.com/anchore/grype v0.87.1-0.20250211173554-1573bd980b6c
 	github.com/anchore/syft v1.19.0
 	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/dave/jennifer v1.7.1
@@ -193,6 +193,7 @@ require (
 	github.com/opencontainers/selinux v1.11.0 // indirect
 	github.com/openvex/go-vex v0.2.5 // indirect
 	github.com/package-url/packageurl-go v0.1.1 // indirect
+	github.com/pandatix/go-cvss v0.6.2 // indirect
 	github.com/pborman/indent v1.2.1 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect

diff --git a/go.sum b/go.sum
@@ -698,8 +698,8 @@ github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04 h1:VzprUTpc0v
 github.com/anchore/go-testutils v0.0.0-20200925183923-d5f45b0d3c04/go.mod h1:6dK64g27Qi1qGQZ67gFmBFvEHScy0/C8qhQhNe5B5pQ=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4 h1:rmZG77uXgE+o2gozGEBoUMpX27lsku+xrMwlmBZJtbg=
 github.com/anchore/go-version v1.2.2-0.20210903204242-51efa5b487c4/go.mod h1:Bkc+JYWjMCF8OyZ340IMSIi2Ebf3uwByOk6ho4wne1E=
-github.com/anchore/grype v0.87.1-0.20250211002517-d34edf67c1db h1:uCOfKvxohajCSfS0dzlV3MkKRL6Gsg63KSauCXeUZbo=
-github.com/anchore/grype v0.87.1-0.20250211002517-d34edf67c1db/go.mod h1:yMGJFQbyqLXKsAW1MECUmce417HgwESVJ+2gVkQ8GTg=
+github.com/anchore/grype v0.87.1-0.20250211173554-1573bd980b6c h1:S/wwuiO3TiBgy9StBFrmTi4HVyeVbbViBBLn9TQJNxE=
+github.com/anchore/grype v0.87.1-0.20250211173554-1573bd980b6c/go.mod h1:COAoNjT1UktC8ZRvkZfPtW4L8pXpiS8krCqobKvjLkw=
 github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10 h1:zBedM9ZGYbs/61QC4ZOKxtChx5njXKHgHqDeHuUxrTw=
 github.com/anchore/packageurl-go v0.1.1-0.20250117185454-edf36a908b10/go.mod h1:KoYIv7tdP5+CC9VGkeZV4/vGCKsY55VvoG+5dadg4YI=
 github.com/anchore/stereoscope v0.0.13 h1:9Ivkh7k+vOeG3JHrt44jOg/8UdZrCvMsSjLQ7trHBig=
@@ -1326,6 +1326,8 @@ github.com/openvex/go-vex v0.2.5 h1:41utdp2rHgAGCsG+UbjmfMG5CWQxs15nGqir1eRgSrQ=
 github.com/openvex/go-vex v0.2.5/go.mod h1:j+oadBxSUELkrKh4NfNb+BPo77U3q7gdKME88IO/0Wo=
 github.com/package-url/packageurl-go v0.1.1 h1:KTRE0bK3sKbFKAk3yy63DpeskU7Cvs/x/Da5l+RtzyU=
 github.com/package-url/packageurl-go v0.1.1/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
+github.com/pandatix/go-cvss v0.6.2 h1:TFiHlzUkT67s6UkelHmK6s1INKVUG7nlKYiWWDTITGI=
+github.com/pandatix/go-cvss v0.6.2/go.mod h1:jDXYlQBZrc8nvrMUVVvTG8PhmuShOnKrxP53nOFkt8Q=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pborman/indent v1.2.1 h1:lFiviAbISHv3Rf0jcuh489bi06hj98JsVMtIDZQb9yM=

diff --git a/pkg/process/package.go b/pkg/process/package.go
@@ -5,7 +5,7 @@ import (
 	"path/filepath"
 
 	v6process "github.com/anchore/grype-db/pkg/process/v6"
-	grypeDBLegacyDistribution "github.com/anchore/grype/grype/db/legacy/distribution"
+	grypeDBLegacyDistribution "github.com/anchore/grype/grype/db/v5/distribution"
 )
 
 func Package(dbDir, publishBaseURL, overrideArchiveExtension string) error {

diff --git a/pkg/process/package_legacy.go b/pkg/process/package_legacy.go
@@ -14,8 +14,8 @@ import (
 
 	"github.com/anchore/grype-db/internal/log"
 	"github.com/anchore/grype-db/internal/tarutil"
-	grypeDBLegacyDistribution "github.com/anchore/grype/grype/db/legacy/distribution"
 	grypeDBLegacy "github.com/anchore/grype/grype/db/v5"
+	grypeDBLegacyDistribution "github.com/anchore/grype/grype/db/v5/distribution"
 	grypeDBLegacyStore "github.com/anchore/grype/grype/db/v5/store"
 )
 

diff --git a/pkg/process/v5/writer.go b/pkg/process/v5/writer.go
@@ -16,8 +16,8 @@ import (
 	"github.com/anchore/grype-db/internal/log"
 	"github.com/anchore/grype-db/pkg/data"
 	"github.com/anchore/grype-db/pkg/provider"
-	"github.com/anchore/grype/grype/db/legacy/distribution"
 	grypeDB "github.com/anchore/grype/grype/db/v5"
+	"github.com/anchore/grype/grype/db/v5/distribution"
 	grypeDBStore "github.com/anchore/grype/grype/db/v5/store"
 )
 

diff --git a/pkg/process/v6/transformers/github/transform.go b/pkg/process/v6/transformers/github/transform.go
@@ -187,7 +187,6 @@ func getSeverities(vulnerability unmarshal.GitHubAdvisory) []grypeDB.Severity {
 			Value: grypeDB.CVSSSeverity{
 				Vector:  vulnerability.Advisory.CVSS.VectorString,
 				Version: vulnerability.Advisory.CVSS.Version,
-				Score:   vulnerability.Advisory.CVSS.BaseMetrics.BaseScore,
 			},
 		})
 	}

diff --git a/pkg/process/v6/transformers/github/transform_test.go b/pkg/process/v6/transformers/github/transform_test.go
@@ -108,7 +108,6 @@ func TestGetVulnerability(t *testing.T) {
 								Value: grypeDB.CVSSSeverity{
 									Vector:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
 									Version: "3.1",
-									Score:   6.5,
 								},
 							},
 						},
@@ -150,7 +149,6 @@ func TestGetVulnerability(t *testing.T) {
 								Value: grypeDB.CVSSSeverity{
 									Vector:  "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
 									Version: "3.1",
-									Score:   9.8,
 								},
 							},
 						},
@@ -192,7 +190,6 @@ func TestGetVulnerability(t *testing.T) {
 								Value: grypeDB.CVSSSeverity{
 									Vector:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
 									Version: "3.1",
-									Score:   9.8,
 								},
 							},
 						},

diff --git a/pkg/process/v6/transformers/nvd/transform.go b/pkg/process/v6/transformers/nvd/transform.go
@@ -271,7 +271,6 @@ func getSeverities(vuln unmarshal.NVDVulnerability) []grypeDB.Severity {
 			Value: grypeDB.CVSSSeverity{
 				Vector:  sev.Vector,
 				Version: sev.Version,
-				Score:   sev.BaseScore,
 			},
 			Source: sev.Source,
 			Rank:   priority,

diff --git a/pkg/process/v6/transformers/nvd/transform_test.go b/pkg/process/v6/transformers/nvd/transform_test.go
@@ -82,19 +82,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-										Version: "3.0",
-										Score:   9.8,
-									},
+										Version: "3.0"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:N/AC:L/Au:N/C:P/I:P/A:P",
-										Version: "2.0",
-										Score:   7.5,
-									},
+										Version: "2.0"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -173,19 +169,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
-										Version: "3.0",
-										Score:   8.8,
-									},
+										Version: "3.0"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:N/AC:M/Au:N/C:P/I:P/A:P",
-										Version: "2.0",
-										Score:   6.8,
-									},
+										Version: "2.0"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -246,19 +238,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-										Version: "3.0",
-										Score:   7.5,
-									},
+										Version: "3.0"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:N/AC:L/Au:N/C:P/I:N/A:N",
-										Version: "2.0",
-										Score:   5.0,
-									},
+										Version: "2.0"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -333,19 +321,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-										Version: "3.0",
-										Score:   7.5,
-									},
+										Version: "3.0"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:N/AC:L/Au:N/C:N/I:N/A:P",
-										Version: "2.0",
-										Score:   5.0,
-									},
+										Version: "2.0"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -392,19 +376,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
-										Version: "3.1",
-										Score:   7.0,
-									},
+										Version: "3.1"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:L/AC:M/Au:N/C:P/I:P/A:P",
-										Version: "2.0",
-										Score:   4.4,
-									},
+										Version: "2.0"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -516,7 +496,6 @@ func TestTransform(t *testing.T) {
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
 										Version: "3.1",
-										Score:   10.0,
 									},
 									Source: "[email protected]",
 									Rank:   1,
@@ -526,7 +505,6 @@ func TestTransform(t *testing.T) {
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:N/AC:L/Au:N/C:C/I:C/A:C",
 										Version: "2.0",
-										Score:   10.0,
 									},
 									Source: "[email protected]",
 									Rank:   2,
@@ -598,19 +576,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
-										Version: "3.1",
-										Score:   5.5,
-									},
+										Version: "3.1"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "AV:L/AC:L/Au:N/C:P/I:N/A:N",
-										Version: "2.0",
-										Score:   2.1,
-									},
+										Version: "2.0"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -685,19 +659,15 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
-										Version: "3.1",
-										Score:   4.3,
-									},
+										Version: "3.1"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
 								{
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
-										Version: "3.1",
-										Score:   4.3,
-									},
+										Version: "3.1"},
 									Source: "[email protected]",
 									Rank:   2,
 								},
@@ -801,9 +771,7 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-										Version: "3.1",
-										Score:   7.5,
-									},
+										Version: "3.1"},
 									Source: "[email protected]",
 									Rank:   1,
 								},
@@ -912,9 +880,7 @@ func TestTransform(t *testing.T) {
 									Scheme: grypeDB.SeveritySchemeCVSS,
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
-										Version: "3.1",
-										Score:   7.5,
-									},
+										Version: "3.1"},
 									Source: "[email protected]",
 									Rank:   1,
 								},

diff --git a/pkg/process/v6/transformers/os/transform.go b/pkg/process/v6/transformers/os/transform.go
@@ -338,7 +338,6 @@ func getSeverities(vuln unmarshal.OSVulnerability) []grypeDB.Severity {
 			Value: grypeDB.CVSSSeverity{
 				Vector:  vendorSeverity.VectorString,
 				Version: vendorSeverity.Version,
-				Score:   vendorSeverity.BaseMetrics.BaseScore,
 			},
 			Rank: 2,
 			// TODO: source?

diff --git a/pkg/process/v6/transformers/os/transform_test.go b/pkg/process/v6/transformers/os/transform_test.go
@@ -901,7 +901,6 @@ func TestTransform(t *testing.T) {
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
 										Version: "3.1",
-										Score:   8.8,
 									},
 									Rank: 2,
 								},
@@ -994,7 +993,6 @@ func TestTransform(t *testing.T) {
 									Value: grypeDB.CVSSSeverity{
 										Vector:  "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
 										Version: "3.1",
-										Score:   7.1,
 									},
 									Rank: 2,
 								},