fix: display CVSS2 data in single column

Paves the way for the arrival of CVSS3 scores
cultureamp · Nov 23, 2023 · 3cb048f · 3cb048f
1 parent df05199
commit 3cb048f
Show file tree

Hide file tree

Showing 8 changed files with 105 additions and 44 deletions.
diff --git a/src/finding/summary.go b/src/finding/summary.go
@@ -31,8 +31,9 @@ type Detail struct {
 }
 
 type CVSSScore struct {
-	Score  string
-	Vector string
+	Score     string
+	Vector    string
+	VectorURL string
 }
 
 type SeverityCount struct {
@@ -128,6 +129,9 @@ func findingToDetail(finding types.ImageScanFinding) Detail {
 
 	uri = fixFindingURI(name, uri)
 
+	cvss2Vector := findingAttributeValue(finding, "CVSS2_VECTOR")
+	cvss2VectorURL := cvss2VectorURL(cvss2Vector)
+
 	return Detail{
 		Name:           name,
 		URI:            uri,
@@ -136,8 +140,9 @@ func findingToDetail(finding types.ImageScanFinding) Detail {
 		PackageName:    findingAttributeValue(finding, "package_name"),
 		PackageVersion: findingAttributeValue(finding, "package_version"),
 		CVSS2: CVSSScore{
-			Score:  findingAttributeValue(finding, "CVSS2_SCORE"),
-			Vector: findingAttributeValue(finding, "CVSS2_VECTOR"),
+			Score:     findingAttributeValue(finding, "CVSS2_SCORE"),
+			Vector:    cvss2Vector,
+			VectorURL: cvss2VectorURL,
 		},
 	}
 }
@@ -170,3 +175,12 @@ func fixFindingURI(name string, uri string) string {
 
 	return correctedURI
 }
+
+func cvss2VectorURL(cvss2Vector string) string {
+	cvss2VectorURL := ""
+	if cvss2Vector != "" {
+		cvss2VectorURL = "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=" +
+			url.QueryEscape("("+cvss2Vector+")")
+	}
+	return cvss2VectorURL
+}
diff --git a/src/finding/summary_test.go b/src/finding/summary_test.go
@@ -3,6 +3,7 @@ package finding_test
 import (
 	"testing"
 
+	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/service/ecr/types"
 	"github.com/cultureamp/ecrscanresults/finding"
 	"github.com/cultureamp/ecrscanresults/findingconfig"
@@ -62,6 +63,42 @@ func TestSummarize(t *testing.T) {
 				Ignored: []finding.Detail{},
 			}),
 		},
+		{
+			name: "findings with CVSS2 scores",
+			data: types.ImageScanFindings{
+				Findings: []types.ImageScanFinding{
+					fscore("CVE-2019-5188", "HIGH", "1.2", "AV:L/AC:L/Au:N/C:P/I:P/A:P"),
+					fscore("INVALID-CVE", "CRITICAL", "", ""),
+					fscore("CVE-2019-5189", "HIGH", "", ""),
+				},
+			},
+			expected: autogold.Expect(finding.Summary{
+				Counts: map[types.FindingSeverity]finding.SeverityCount{
+					types.FindingSeverity("CRITICAL"): {Included: 1},
+					types.FindingSeverity("HIGH"):     {Included: 2},
+				},
+				Details: []finding.Detail{
+					{
+						Name:     "CVE-2019-5188",
+						Severity: types.FindingSeverity("HIGH"),
+						CVSS2: finding.CVSSScore{
+							Score:     "1.2",
+							Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+							VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
+						},
+					},
+					{
+						Name:     "INVALID-CVE",
+						Severity: types.FindingSeverity("CRITICAL"),
+					},
+					{
+						Name:     "CVE-2019-5189",
+						Severity: types.FindingSeverity("HIGH"),
+					},
+				},
+				Ignored: []finding.Detail{},
+			}),
+		},
 		{
 			name: "findings with no ignores",
 			data: types.ImageScanFindings{
@@ -160,6 +197,17 @@ func fu(name string, severity types.FindingSeverity, uri string) types.ImageScan
 	}
 }
 
+func fscore(name string, severity types.FindingSeverity, cvss2 string, vector string) types.ImageScanFinding {
+	return types.ImageScanFinding{
+		Name:     &name,
+		Severity: severity,
+		Attributes: []types.Attribute{
+			{Key: aws.String("CVSS2_SCORE"), Value: &cvss2},
+			{Key: aws.String("CVSS2_VECTOR"), Value: &vector},
+		},
+	}
+}
+
 func i(id string) findingconfig.Ignore {
 	return findingconfig.Ignore{ID: id}
 }
diff --git a/src/report/annotation.gohtml b/src/report/annotation.gohtml
@@ -42,6 +42,9 @@ be wrapped in <p> tag by the Markdown renderer in Buildkite.
 {{ define "findingName" }}{{ if .Description }}<details><summary>{{ template "findingNameLink" . }}</summary><div>{{ .Description }}</div></details>{{ else }}{{ template "findingNameLink" . }}{{ end }}{{ end }}
 {{ define "findingIgnoreUntil" }}{{ if .Until | hasUntilValue }}{{ .Until }}{{ else }}<div class="italic">(indefinitely)</div>{{ end }}{{ end }}
 {{ define "findingIgnore"}}{{ if .Reason }}<details><summary>{{ template "findingIgnoreUntil" . }}</summary><div>{{ .Reason }}</div></details>{{ else }}{{ template "findingIgnoreUntil" . }}{{ end }}{{ end }}
+{{ define "cvssScore"
+}}{{ .Score | nbsp}}{{ if .Vector }} (<a href="{{ .VectorURL }}">{{ .Vector }}</a>){{ end
+}}{{ end }}
 {{ if (or .FindingSummary.Details .FindingSummary.Ignored) }}
 <details>
 <summary>Vulnerability details</summary>
@@ -52,16 +55,14 @@ be wrapped in <p> tag by the Markdown renderer in Buildkite.
 <th>CVE</th>
 <th>Severity</th>
 <th>Affects</th>
-<th>CVSS score</th>
-<th>Vector</th>
+<th>CVSS2 score (vector)</th>
 </tr>
 {{ range $f := .FindingSummary.Details | sortFindings }}
 <tr>
 <td>{{ template "findingName" . }}</td>
 <td>{{ $f.Severity | string | lowerCase | titleCase }}</td>
 <td>{{ $f.PackageName | nbsp }} {{ $f.PackageVersion | nbsp }}</td>
-<td>{{ $f.CVSS2.Score | nbsp}}</td>
-<td>{{ if $f.CVSS2.Vector }}<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=({{ $f.CVSS2.Vector }})">{{ $f.CVSS2.Vector }}</a>{{ else }}&nbsp;{{ end }}</td>
+<td>{{ template "cvssScore" $f.CVSS2 }}</td>
 </tr>
 {{ end }}
 </table>
@@ -76,17 +77,15 @@ be wrapped in <p> tag by the Markdown renderer in Buildkite.
 <th>Severity</th>
 <th>Ignored until</th>
 <th>Affects</th>
-<th>CVSS score</th>
-<th>Vector</th>
+<th>CVSS2 score (vector)</th>
 </tr>
 {{ range $f := .FindingSummary.Ignored | sortFindings }}
 <tr>
 <td>{{ template "findingName" . }}</td>
 <td>{{ $f.Severity | string | lowerCase | titleCase }}</td>
 <td>{{ template "findingIgnore" $f.Ignore }}</td>
 <td>{{ $f.PackageName | nbsp }} {{ $f.PackageVersion | nbsp }}</td>
-<td>{{ $f.CVSS2.Score | nbsp}}</td>
-<td>{{ if $f.CVSS2.Vector }}<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=({{ $f.CVSS2.Vector }})">{{ $f.CVSS2.Vector }}</a>{{ else }}&nbsp;{{ end }}</td>
+<td>{{ template "cvssScore" $f.CVSS2 }}</td>
 </tr>
 {{ end }}
 </table>

diff --git a/src/report/annotation_test.go b/src/report/annotation_test.go
@@ -71,8 +71,9 @@ func TestReports(t *testing.T) {
 							PackageName:    "5300-package",
 							PackageVersion: "5300-version",
 							CVSS2: finding.CVSSScore{
-								Score:  "10.0",
-								Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								Score:     "10.0",
+								Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
 							},
 						},
 						{
@@ -83,8 +84,9 @@ func TestReports(t *testing.T) {
 							PackageName:    "e2fsprogs",
 							PackageVersion: "1.44.1-1ubuntu1.1",
 							CVSS2: finding.CVSSScore{
-								Score:  "4.6",
-								Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								Score:     "4.6",
+								Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
 							},
 						},
 						{
@@ -95,8 +97,9 @@ func TestReports(t *testing.T) {
 							PackageName:    "5200-package",
 							PackageVersion: "5200-version",
 							CVSS2: finding.CVSSScore{
-								Score:  "10.0",
-								Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								Score:     "10.0",
+								Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
 							},
 						},
 					},
@@ -130,8 +133,9 @@ func TestReports(t *testing.T) {
 							PackageName:    "e2fsprogs",
 							PackageVersion: "1.44.1-1ubuntu1.1",
 							CVSS2: finding.CVSSScore{
-								Score:  "4.6",
-								Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								Score:     "4.6",
+								Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
 							},
 						},
 						{
@@ -142,8 +146,9 @@ func TestReports(t *testing.T) {
 							PackageName:    "5200-package",
 							PackageVersion: "5200-version",
 							CVSS2: finding.CVSSScore{
-								Score:  "10.0",
-								Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								Score:     "10.0",
+								Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
 							},
 						},
 					},
@@ -156,8 +161,9 @@ func TestReports(t *testing.T) {
 							PackageName:    "100-package",
 							PackageVersion: "100-version",
 							CVSS2: finding.CVSSScore{
-								Score:  "4.0",
-								Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								Score:     "4.0",
+								Vector:    "AV:L/AC:L/Au:N/C:P/I:P/A:P",
+								VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29",
 							},
 							Ignore: &findingconfig.Ignore{
 								ID: "CVE-2023-100",

diff --git a/src/report/testdata/TestReports/findings_included.golden b/src/report/testdata/TestReports/findings_included.golden
@@ -44,6 +44,7 @@
 
 
 
+
 <details>
 <summary>Vulnerability details</summary>
 <div>
@@ -53,32 +54,28 @@
 <th>CVE</th>
 <th>Severity</th>
 <th>Affects</th>
-<th>CVSS score</th>
-<th>Vector</th>
+<th>CVSS2 score (vector)</th>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5200">CVE-2019-5200</a></summary><div>Another vulnerability.</div></details></td>
 <td>Critical</td>
 <td>5200-package 5200-version</td>
-<td>10.0</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>10.0 (<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188">CVE-2019-5188</a></summary><div>A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.</div></details></td>
 <td>High</td>
 <td>e2fsprogs 1.44.1-1ubuntu1.1</td>
-<td>4.6</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>4.6 (<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5300">CVE-2019-5300</a></summary><div>Another vulnerability.</div></details></td>
 <td>Aa-Bogus-Severity</td>
 <td>5300-package 5300-version</td>
-<td>10.0</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>10.0 (<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 </table>

diff --git a/src/report/testdata/TestReports/image_label.golden b/src/report/testdata/TestReports/image_label.golden
@@ -14,6 +14,7 @@
 
 
 
+
 <p class="p1">
 <i>scan completed: <span title="&lt;nil&gt;"></span></i> |
 <i>source updated: <span title="&lt;nil&gt;"></span></i>

diff --git a/src/report/testdata/TestReports/no_vulnerabilities.golden b/src/report/testdata/TestReports/no_vulnerabilities.golden
@@ -13,6 +13,7 @@
 
 
 
+
 <p class="p1">
 <i>scan completed: <span title="&lt;nil&gt;"></span></i> |
 <i>source updated: <span title="&lt;nil&gt;"></span></i>

diff --git a/src/report/testdata/TestReports/some_findings_ignored.golden b/src/report/testdata/TestReports/some_findings_ignored.golden
@@ -44,6 +44,7 @@
 
 
 
+
 <details>
 <summary>Vulnerability details</summary>
 <div>
@@ -53,24 +54,21 @@
 <th>CVE</th>
 <th>Severity</th>
 <th>Affects</th>
-<th>CVSS score</th>
-<th>Vector</th>
+<th>CVSS2 score (vector)</th>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5200">CVE-2019-5200</a></summary><div>Another vulnerability.</div></details></td>
 <td>Critical</td>
 <td>5200-package 5200-version</td>
-<td>10.0</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>10.0 (<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5188">CVE-2019-5188</a></summary><div>A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.</div></details></td>
 <td>High</td>
 <td>e2fsprogs 1.44.1-1ubuntu1.1</td>
-<td>4.6</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>4.6 (<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 </table>
@@ -85,26 +83,23 @@
 <th>Severity</th>
 <th>Ignored until</th>
 <th>Affects</th>
-<th>CVSS score</th>
-<th>Vector</th>
+<th>CVSS2 score (vector)</th>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2019-5300">CVE-2019-5300</a></summary><div>Another vulnerability.</div></details></td>
 <td>Critical</td>
 <td><details><summary>2023-12-31</summary><div>Ignored to give the base image a chance to be updated</div></details></td>
 <td>5300-package 5300-version</td>
-<td>10.0</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>10.0 (<a href="">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 <tr>
 <td><details><summary><a href="http://people.ubuntu.com/~ubuntu-security/cve/CVE-2023-100">CVE-2023-100</a></summary><div>A vulnerability present in some software but isn&#39;t that bad.</div></details></td>
 <td>Low</td>
 <td><div class="italic">(indefinitely)</div></td>
 <td>100-package 100-version</td>
-<td>4.0</td>
-<td><a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV%3aL%2fAC%3aL%2fAu%3aN%2fC%3aP%2fI%3aP%2fA%3aP)">AV:L/AC:L/Au:N/C:P/I:P/A:P</a></td>
+<td>4.0 (<a href="https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29">AV:L/AC:L/Au:N/C:P/I:P/A:P</a>)</td>
 </tr>
 
 </table>
Original file line number	Diff line number	Diff line change
Expand Up		@@ -14,6 +14,7 @@




		<p class="p1">
		<i>scan completed: <span title="<nil>"></span></i> \|
		<i>source updated: <span title="<nil>"></span></i>
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -13,6 +13,7 @@




		<p class="p1">
		<i>scan completed: <span title="<nil>"></span></i> \|
		<i>source updated: <span title="<nil>"></span></i>
Expand Down