Add Severity level to Gemnasium vulnerabilities
Problem to solve
Vulnerabilities reported by Gemnasium don't have a
severity. Not only this information is important to users, but it's also very much needed to sort the vulnerabilities in the Security Dashboard.
The YAML files of gemnasium-db should contain a
severity field or a field from which the severity can be calculated, to be propagated by gemnasium to the GitLab backend via the Dependency Scanning report.
Both CVSS vectors are optional, and CVSS v3 is preferred.
severity of a vulnerability reported by Gemnasium is:
- the textual representation of the CVSS v3 base score, if defined
- else the textual representation of the CVSS v2 base score, if defined
- In the YAML schema of gemnasium-db, add two optional text fields corresponding to the CVSS v2 and v3 vectors; gitlab-org/security-products/gemnasium-db!430 (diffs)
- In adbcurate, collect the CVSS vectors when importing advisories from NVD: https://gitlab.com/gitlab-org/security-products/advisory-db-curation-tools/issues/16
- update the
AdvisoryGo struct to load the CVSS vectors
- parse CVSS v2 and calculate base score, possibly using https://github.com/umisama/go-cvss
- parse CVSS v3 and calculate base score, possibly using https://github.com/bunji2/cvssv3
- make the convert package of Gemnasium convert the CVSS vectors into textual value; see section
5. Qualitative Severity Rating Scaleof CVSS v3.1 specification
- release a new version of gemnasium
gemnasiumdependency in gemnasium-maven and release new version
gemnasiumdependency in gemnasium-python and release new version
- update all test projects compatible with gemnasium, gemnasium-maven, gemnasium-python
- update the