fix issue 20269 (#20274)

By default, use the nvd score as the primary score, and if it is unavailable, fallback to the redhat score. fix #20269 Signed-off-by: wang yan <wangyan@vmware.com>
goharbor · Apr 16, 2024 · 550bf1d · 550bf1d
1 parent 91efec1
commit 550bf1d
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 12 deletions.
diff --git a/src/pkg/scan/postprocessors/report_converters.go b/src/pkg/scan/postprocessors/report_converters.go
@@ -354,25 +354,28 @@ func (c *nativeToRelationalSchemaConverter) updateReport(ctx context.Context, vu
 	return report.Mgr.Update(ctx, r, "CriticalCnt", "HighCnt", "MediumCnt", "LowCnt", "NoneCnt", "UnknownCnt", "FixableCnt")
 }
 
-// CVSS ...
-type CVSS struct {
-	NVD Nvd `json:"nvd"`
+// CVS ...
+type CVS struct {
+	CVSS map[string]map[string]interface{} `json:"CVSS"`
 }
 
-// Nvd ...
-type Nvd struct {
-	V3Score float64 `json:"V3Score"`
-}
-
-func parseScoreFromVendorAttribute(ctx context.Context, vendorAttribute string) (NvdV3Score float64) {
-	var data map[string]CVSS
+func parseScoreFromVendorAttribute(ctx context.Context, vendorAttribute string) float64 {
+	var data CVS
 	err := json.Unmarshal([]byte(vendorAttribute), &data)
 	if err != nil {
 		log.G(ctx).Errorf("failed to parse vendor_attribute, error %v", err)
 		return 0
 	}
-	if cvss, ok := data["CVSS"]; ok {
-		return cvss.NVD.V3Score
+
+	// set the nvd as the first priority, if it's unavailable, return the first V3Score available.
+	if val, ok := data.CVSS["nvd"]["V3Score"]; ok {
+		return val.(float64)
+	}
+
+	for vendor := range data.CVSS {
+		if val, ok := data.CVSS[vendor]["V3Score"]; ok {
+			return val.(float64)
+		}
 	}
 	return 0
 }
diff --git a/src/pkg/scan/postprocessors/report_converters_test.go b/src/pkg/scan/postprocessors/report_converters_test.go
@@ -578,6 +578,8 @@ func Test_parseScoreFromVendorAttribute(t *testing.T) {
 		{"both", args{`{"CVSS":{"nvd":{"V3Score":5.5,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},"redhat":{"V3Score":6.2,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}}}`}, 5.5},
 		{"both2", args{`{"CVSS":{"nvd":{"V2Score":7.2,"V2Vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C","V3Score":7.8,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},"redhat":{"V3Score":7.8,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 7.8},
 		{"none", args{`{"CVSS":{"nvd":{"V2Score":7.2,"V2Vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C","V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},"redhat":{"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 0},
+		{"redhatonly", args{`{"CVSS":{"redhat":{"V3Score":8.8, "V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 8.8},
+		{"nvdnov3butredhat", args{`{"CVSS":{"nvd":{"V2Score":7.2,"V2Vector":"AV:L/AC:L/Au:N/C:C/I:C/A:C"},"redhat":{"V3Score":7.8,"V3Vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}}`}, 7.8},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {