From 96398465dea9f86b569cacc7d3677db2f09a763b Mon Sep 17 00:00:00 2001 From: Quentin Machu Date: Fri, 18 Nov 2016 18:08:22 +0100 Subject: [PATCH] updater: Set vulns' Severity from NVD metadata fetcher if unknown If a Vulnerability that goes through the NVD metadata fetcher has an empty or Unknown Severity, then use the CVSS score to set one. This will help to get a more consistent database when a vulnerability source does not provide this information. --- updater/metadata_fetchers/nvd/nvd.go | 30 ++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/updater/metadata_fetchers/nvd/nvd.go b/updater/metadata_fetchers/nvd/nvd.go index 5ccf0cf6..fadf719c 100644 --- a/updater/metadata_fetchers/nvd/nvd.go +++ b/updater/metadata_fetchers/nvd/nvd.go @@ -18,6 +18,7 @@ import ( "github.com/coreos/clair/database" "github.com/coreos/clair/updater" cerrors "github.com/coreos/clair/utils/errors" + "github.com/coreos/clair/utils/types" "github.com/coreos/pkg/capnslog" ) @@ -106,13 +107,17 @@ func (fetcher *NVDMetadataFetcher) AddMetadata(vulnerability *updater.Vulnerabil if nvdMetadata, ok := fetcher.metadata[vulnerability.Name]; ok { vulnerability.Lock.Lock() - // Create Metadata map if necessary. + // Create Metadata map if necessary and assign the NVD metadata. if vulnerability.Metadata == nil { vulnerability.Metadata = make(map[string]interface{}) } - vulnerability.Metadata[metadataKey] = nvdMetadata + // Set the Severity using the CVSSv2 Score if none is set yet. + if vulnerability.Severity == "" || vulnerability.Severity == types.Unknown { + vulnerability.Severity = scoreToPriority(nvdMetadata.CVSSv2.Score) + } + vulnerability.Lock.Unlock() } @@ -225,3 +230,24 @@ func getHashFromMetaURL(metaURL string) (string, error) { return "", errors.New("invalid .meta file format") } + +// scoreToPriority converts the CVSS Score (0.0 - 10.0) into user-friendy +// types.Priority following the qualitative rating scale available in the +// CVSS v3.0 specification (https://www.first.org/cvss/specification-document), +// Table 14. The Negligible level is set for CVSS scores between [0, 1), +// replacing the specified None level, originally used for a score of 0. +func scoreToPriority(score float64) types.Priority { + switch { + case score < 1.0: + return types.Negligible + case score < 3.9: + return types.Low + case score < 6.9: + return types.Medium + case score < 8.9: + return types.High + case score <= 10: + return types.Critical + } + return types.Unknown +}