diff --git a/convert/convert_test.go b/convert/convert_test.go index 6c847db06124fba0a20d06c6bf3b91b42b77d8c6..22763ff7a82378371e5db74f0d83302368ab75cf 100644 --- a/convert/convert_test.go +++ b/convert/convert_test.go @@ -22,6 +22,7 @@ func TestConvert(t *testing.T) { Identifier: null.StringFrom("CVE-1234"), Title: "Regular Expression Denial of Service", Description: "Xyz is vulnerable to ReDoS in the Xyz parameter.", + Severity: null.StringFrom("medium"), Solution: null.StringFrom("Upgrade to latest version."), Links: []string{"https://security.io/advisories/119", "https://security.io/advisories/117", "https://security.io/advisories/118"}, } @@ -86,7 +87,7 @@ func TestConvert(t *testing.T) { Message: "Regular Expression Denial of Service in pg", Description: "Xyz is vulnerable to ReDoS in the Xyz parameter.", CompareKey: "app/rails/Gemfile.lock:pg:gemnasium:7d9ba955-fd99-4503-936e-f6833768f76e", - Severity: issue.SeverityLevelUnknown, + Severity: issue.SeverityLevelMedium, Solution: "Upgrade to latest version.", Location: issue.Location{ File: "app/rails/Gemfile.lock", diff --git a/convert/vulnerability_converter.go b/convert/vulnerability_converter.go index 5d2f0b3fa9224db8a732f26dfc3df99004a9084d..ced75db79486665b380547d75577c70d00e197f3 100644 --- a/convert/vulnerability_converter.go +++ b/convert/vulnerability_converter.go @@ -31,7 +31,7 @@ func (c VulnerabilityConverter) Issue() issue.Issue { }, Name: c.Advisory.Title, Description: c.Advisory.Description, - Severity: issue.SeverityLevelUnknown, + Severity: c.severity(), Solution: c.Advisory.Solution.String, Identifiers: c.identifiers(), Links: issue.NewLinks(c.Advisory.Links...), @@ -51,6 +51,20 @@ func (c VulnerabilityConverter) filePath() string { return filepath.Join(c.PrependPath, c.Source.FilePath) } +func (c VulnerabilityConverter) severity() issue.SeverityLevel { + switch c.Advisory.Severity.String { + case "critical": + return issue.SeverityLevelCritical + case "high": + return issue.SeverityLevelHigh + case "medium": + return issue.SeverityLevelMedium + case "low": + return issue.SeverityLevelLow + } + return issue.SeverityLevelUnknown +} + func (c VulnerabilityConverter) identifiers() []issue.Identifier { ids := []issue.Identifier{c.primaryIdentifier()} if id := c.Advisory.Identifier; id.Valid { diff --git a/scanner/advisory.go b/scanner/advisory.go index 02b4cf0e8a91b9d7312166ded4cd890232b34f8d..8f2a0fc68e29263d160d82063840a4bc03e28a2a 100644 --- a/scanner/advisory.go +++ b/scanner/advisory.go @@ -12,6 +12,7 @@ type Advisory struct { DisclosureDate string `json:"date"` // DisclosureDate is the date on which the advisory was made public. FixedVersions []string `json:"fixed_versions"` // FixedVersions are the versions fixing the vulnerability. AffectedVersions []string `json:"affected_versions"` // AffectedVersions are the versions affected by the vulnerability. + Severity null.String `json:"severity"` // Severity is either low, medium, high or critical. Solution null.String `json:"solution"` // Solution describes how to remediate the vulnerability. Credit null.String `json:"credit"` // Credit gives the names of the people who reported the vulnerability or helped fixing it. Links []string `json:"urls"` // Links are URLs of: detailed advisory, documented exploit, vulnerable source code, etc. diff --git a/scanner/advisory_test.go b/scanner/advisory_test.go index 094b0828a2bb5d594a65455f9ec2ed4247a81d37..e34a6d2f61457093d642d4df80381c752b925940 100644 --- a/scanner/advisory_test.go +++ b/scanner/advisory_test.go @@ -37,6 +37,7 @@ func TestAdvisory(t *testing.T) { DisclosureDate: "2016-06-20", FixedVersions: []string{"3.0.2"}, AffectedVersions: []string{"2.0.10", "3.0.0"}, + Severity: null.StringFrom("medium"), Solution: null.StringFrom("Upgrade to latest version."), Credit: null.StringFrom("Nick Starke"), Links: []string{"https://nodesecurity.io/advisories/118"}, @@ -72,6 +73,7 @@ func TestAdvisory(t *testing.T) { "2.0.10", "3.0.0" ], + "severity": "medium", "solution": "Upgrade to latest version.", "credit": "Nick Starke", "urls": [ diff --git a/scanner/client_test.go b/scanner/client_test.go index 8dee37ea42d6bb9045a51506f276ea891a87d0ec..fb1afb127a2f1599ae8e2a0e20978711839e1957 100644 --- a/scanner/client_test.go +++ b/scanner/client_test.go @@ -25,6 +25,7 @@ const testJSONAdvisories = `[{ "2.0.10", "3.0.0" ], + "severity": "medium", "solution": "Upgrade to latest version.", "credit": "Nick Starke", "urls": [ @@ -46,6 +47,7 @@ var testAdvisories = []Advisory{ DisclosureDate: "2016-06-20", FixedVersions: []string{"3.0.2"}, AffectedVersions: []string{"2.0.10", "3.0.0"}, + Severity: null.StringFrom("medium"), Solution: null.StringFrom("Upgrade to latest version."), Credit: null.StringFrom("Nick Starke"), Links: []string{"https://nodesecurity.io/advisories/118"},