Merge pull request #271 from Quentin-M/nvd_severity

updater: Set vulns' Severity from NVD metadata fetcher if unknown
8 years ago · 639d305cf8
parent e38b67a513 1faf27ba18
commit 639d305cf8
2 changed files with 32 additions and 6 deletions
--- a/updater/metadata_fetchers/nvd/nvd.go
+++ b/updater/metadata_fetchers/nvd/nvd.go
@ -18,6 +18,7 @@ import (
 	"github.com/coreos/clair/database"
 	"github.com/coreos/clair/updater"
 	cerrors "github.com/coreos/clair/utils/errors"
+	"github.com/coreos/clair/utils/types"
 	"github.com/coreos/pkg/capnslog"
 )

@ -105,14 +106,19 @@ func (fetcher *NVDMetadataFetcher) AddMetadata(vulnerability *updater.Vulnerabil

 	if nvdMetadata, ok := fetcher.metadata[vulnerability.Name]; ok {
 		vulnerability.Lock.Lock()
-		defer vulnerability.Lock.Unlock()

-		// Create Metadata map if necessary.
+		// Create Metadata map if necessary and assign the NVD metadata.
 		if vulnerability.Metadata == nil {
 			vulnerability.Metadata = make(map[string]interface{})
 		}
-
 		vulnerability.Metadata[metadataKey] = nvdMetadata
+
+		// Set the Severity using the CVSSv2 Score if none is set yet.
+		if vulnerability.Severity == "" || vulnerability.Severity == types.Unknown {
+			vulnerability.Severity = scoreToPriority(nvdMetadata.CVSSv2.Score)
+		}
+
+		vulnerability.Lock.Unlock()
 	}

 	return nil
@ -224,3 +230,24 @@ func getHashFromMetaURL(metaURL string) (string, error) {

 	return "", errors.New("invalid .meta file format")
 }
+
+// scoreToPriority converts the CVSS Score (0.0 - 10.0) into user-friendy
+// types.Priority following the qualitative rating scale available in the
+// CVSS v3.0 specification (https://www.first.org/cvss/specification-document),
+// Table 14. The Negligible level is set for CVSS scores between [0, 1),
+// replacing the specified None level, originally used for a score of 0.
+func scoreToPriority(score float64) types.Priority {
+	switch {
+	case score < 1.0:
+		return types.Negligible
+	case score < 3.9:
+		return types.Low
+	case score < 6.9:
+		return types.Medium
+	case score < 8.9:
+		return types.High
+	case score <= 10:
+		return types.Critical
+	}
+	return types.Unknown
+}
--- a/utils/oval/oval.go
+++ b/utils/oval/oval.go
@ -166,7 +166,7 @@ var (

 // FetchUpdate gets vulnerability updates from the OVAL definitions.
 func (f *OvalFetcher) FetchUpdate(datastore database.Datastore) (resp updater.FetcherResponse, err error) {
-	log.Info("fetching %s vulnerabilities", f.OsInfo.DistName())
+	log.Infof("fetching %s vulnerabilities", f.OsInfo.DistName())

 	r, err := http.Get(f.OsInfo.OvalURI())
 	if err != nil {
@ -247,8 +247,7 @@ func (f *OvalFetcher) ToFeatureVersions(possibilities [][]criterion) []database.
 		}

 		if osVersion == "" {
-			log.Warning("No OS version found for criterions")
-			log.Warning(criterions)
+			log.Warningf("No OS version found for criterions: %#v", criterions)
 			continue
 		}