feat(report): range notion calc by severity when no-cvss-score (#1145)

2021-01-25 13:22:55 +09:00
parent e4f1e03f62
commit 3c1489e588
9 changed files with 258 additions and 281 deletions
--- a/report/slack.go
+++ b/report/slack.go
@@ -248,7 +248,7 @@ func attachmentText(vinfo models.VulnInfo, osFamily string, cweDict map[string]m
 	maxCvss := vinfo.MaxCvssScore()
 	vectors := []string{}

-	scores := append(vinfo.Cvss3Scores(), vinfo.Cvss2Scores(osFamily)...)
+	scores := append(vinfo.Cvss3Scores(), vinfo.Cvss2Scores()...)
 	for _, cvss := range scores {
 		if cvss.Value.Severity == "" {
 			continue
--- a/report/syslog.go
+++ b/report/syslog.go
@@ -59,7 +59,7 @@ func (w SyslogWriter) encodeSyslog(result models.ScanResult) (messages []string)
 		kvPairs = append(kvPairs, fmt.Sprintf(`packages="%s"`, pkgs))

 		kvPairs = append(kvPairs, fmt.Sprintf(`cve_id="%s"`, cveID))
-		for _, cvss := range vinfo.Cvss2Scores(result.Family) {
+		for _, cvss := range vinfo.Cvss2Scores() {
 			kvPairs = append(kvPairs, fmt.Sprintf(`cvss_score_%s_v2="%.2f"`, cvss.Type, cvss.Value.Score))
 			kvPairs = append(kvPairs, fmt.Sprintf(`cvss_vector_%s_v2="%s"`, cvss.Type, cvss.Value.Vector))
 		}
--- a/report/syslog_test.go
+++ b/report/syslog_test.go
@@ -51,6 +51,7 @@ func TestSyslogWriterEncodeSyslog(t *testing.T) {
 				`scanned_at="2018-06-13 16:10:00 +0000 UTC" server_name="teste01" os_family="ubuntu" os_release="16.04" ipv4_addr="192.168.0.1,10.0.2.15" ipv6_addr="" packages="pkg3,pkg4" cve_id="CVE-2017-0002" cvss_score_nvd_v2="5.00" cvss_vector_nvd_v2="AV:L/AC:L/Au:N/C:N/I:N/A:C" cvss_score_nvd_v3="9.80" cvss_vector_nvd_v3="AV:L/AC:L/Au:N/C:N/I:N/A:C" cwe_ids="CWE-20"`,
 			},
 		},
+		// 1
 		{
 			result: models.ScanResult{
 				ScannedAt:  time.Date(2018, 6, 13, 17, 10, 0, 0, time.UTC),
@@ -65,10 +66,11 @@ func TestSyslogWriterEncodeSyslog(t *testing.T) {
 						},
 						CveContents: models.CveContents{
 							models.RedHat: models.CveContent{
-								Cvss3Score:  5.0,
-								Cvss3Vector: "AV:L/AC:L/Au:N/C:N/I:N/A:C",
-								CweIDs:      []string{"CWE-284"},
-								Title:       "RHSA-2017:0001: pkg5 security update (Important)",
+								Cvss3Score:    5.0,
+								Cvss3Severity: "Medium",
+								Cvss3Vector:   "AV:L/AC:L/Au:N/C:N/I:N/A:C",
+								CweIDs:        []string{"CWE-284"},
+								Title:         "RHSA-2017:0001: pkg5 security update (Important)",
 							},
 						},
 					},
--- a/report/tui.go
+++ b/report/tui.go
@@ -935,20 +935,11 @@ func detailLines() (string, error) {
 	table := uitable.New()
 	table.MaxColWidth = maxColWidth
 	table.Wrap = true
-	scores := append(vinfo.Cvss3Scores(), vinfo.Cvss2Scores(r.Family)...)
+	scores := append(vinfo.Cvss3Scores(), vinfo.Cvss2Scores()...)
 	var cols []interface{}
 	for _, score := range scores {
-		if score.Value.Score == 0 && score.Value.Severity == "" {
-			continue
-		}
-		scoreStr := "-"
-		if 0 < score.Value.Score {
-			scoreStr = fmt.Sprintf("%3.1f", score.Value.Score)
-		}
-		scoreVec := fmt.Sprintf("%s/%s", scoreStr, score.Value.Vector)
 		cols = []interface{}{
-			scoreVec,
-			score.Value.Severity,
+			score.Value.Format(),
 			score.Type,
 		}
 		table.AddRow(cols...)
--- a/report/util.go
+++ b/report/util.go
@@ -213,7 +213,7 @@ No CVE-IDs are found in updatable packages.
 			}
 		}

-		for _, cvss := range vuln.Cvss2Scores(r.Family) {
+		for _, cvss := range vuln.Cvss2Scores() {
 			if cvssstr := cvss.Value.Format(); cvssstr != "" {
 				data = append(data, []string{string(cvss.Type), cvssstr})
 			}