diff --git a/src/finding/summary.go b/src/finding/summary.go index 729af9f0..3f629d58 100644 --- a/src/finding/summary.go +++ b/src/finding/summary.go @@ -31,8 +31,9 @@ type Detail struct { } type CVSSScore struct { - Score string - Vector string + Score string + Vector string + VectorURL string } type SeverityCount struct { @@ -128,6 +129,9 @@ func findingToDetail(finding types.ImageScanFinding) Detail { uri = fixFindingURI(name, uri) + cvss2Vector := findingAttributeValue(finding, "CVSS2_VECTOR") + cvss2VectorURL := cvss2VectorURL(cvss2Vector) + return Detail{ Name: name, URI: uri, @@ -136,8 +140,9 @@ func findingToDetail(finding types.ImageScanFinding) Detail { PackageName: findingAttributeValue(finding, "package_name"), PackageVersion: findingAttributeValue(finding, "package_version"), CVSS2: CVSSScore{ - Score: findingAttributeValue(finding, "CVSS2_SCORE"), - Vector: findingAttributeValue(finding, "CVSS2_VECTOR"), + Score: findingAttributeValue(finding, "CVSS2_SCORE"), + Vector: cvss2Vector, + VectorURL: cvss2VectorURL, }, } } @@ -170,3 +175,12 @@ func fixFindingURI(name string, uri string) string { return correctedURI } + +func cvss2VectorURL(cvss2Vector string) string { + cvss2VectorURL := "" + if cvss2Vector != "" { + cvss2VectorURL = "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=" + + url.QueryEscape("("+cvss2Vector+")") + } + return cvss2VectorURL +} diff --git a/src/finding/summary_test.go b/src/finding/summary_test.go index 167221cc..d3d6e1d7 100644 --- a/src/finding/summary_test.go +++ b/src/finding/summary_test.go @@ -3,6 +3,7 @@ package finding_test import ( "testing" + "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/service/ecr/types" "github.com/cultureamp/ecrscanresults/finding" "github.com/cultureamp/ecrscanresults/findingconfig" @@ -62,6 +63,42 @@ func TestSummarize(t *testing.T) { Ignored: []finding.Detail{}, }), }, + { + name: "findings with CVSS2 scores", + data: types.ImageScanFindings{ + Findings: []types.ImageScanFinding{ + fscore("CVE-2019-5188", "HIGH", "1.2", "AV:L/AC:L/Au:N/C:P/I:P/A:P"), + fscore("INVALID-CVE", "CRITICAL", "", ""), + fscore("CVE-2019-5189", "HIGH", "", ""), + }, + }, + expected: autogold.Expect(finding.Summary{ + Counts: map[types.FindingSeverity]finding.SeverityCount{ + types.FindingSeverity("CRITICAL"): {Included: 1}, + types.FindingSeverity("HIGH"): {Included: 2}, + }, + Details: []finding.Detail{ + { + Name: "CVE-2019-5188", + Severity: types.FindingSeverity("HIGH"), + CVSS2: finding.CVSSScore{ + Score: "1.2", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", + }, + }, + { + Name: "INVALID-CVE", + Severity: types.FindingSeverity("CRITICAL"), + }, + { + Name: "CVE-2019-5189", + Severity: types.FindingSeverity("HIGH"), + }, + }, + Ignored: []finding.Detail{}, + }), + }, { name: "findings with no ignores", data: types.ImageScanFindings{ @@ -160,6 +197,17 @@ func fu(name string, severity types.FindingSeverity, uri string) types.ImageScan } } +func fscore(name string, severity types.FindingSeverity, cvss2 string, vector string) types.ImageScanFinding { + return types.ImageScanFinding{ + Name: &name, + Severity: severity, + Attributes: []types.Attribute{ + {Key: aws.String("CVSS2_SCORE"), Value: &cvss2}, + {Key: aws.String("CVSS2_VECTOR"), Value: &vector}, + }, + } +} + func i(id string) findingconfig.Ignore { return findingconfig.Ignore{ID: id} } diff --git a/src/report/annotation.gohtml b/src/report/annotation.gohtml index 0bda558e..4bebbe88 100644 --- a/src/report/annotation.gohtml +++ b/src/report/annotation.gohtml @@ -42,6 +42,9 @@ be wrapped in

tag by the Markdown renderer in Buildkite. {{ define "findingName" }}{{ if .Description }}

{{ template "findingNameLink" . }}
{{ .Description }}
{{ else }}{{ template "findingNameLink" . }}{{ end }}{{ end }} {{ define "findingIgnoreUntil" }}{{ if .Until | hasUntilValue }}{{ .Until }}{{ else }}
(indefinitely)
{{ end }}{{ end }} {{ define "findingIgnore"}}{{ if .Reason }}
{{ template "findingIgnoreUntil" . }}
{{ .Reason }}
{{ else }}{{ template "findingIgnoreUntil" . }}{{ end }}{{ end }} +{{ define "cvssScore" +}}{{ .Score | nbsp}}{{ if .Vector }} ({{ .Vector }}){{ end +}}{{ end }} {{ if (or .FindingSummary.Details .FindingSummary.Ignored) }}
Vulnerability details @@ -52,16 +55,14 @@ be wrapped in

tag by the Markdown renderer in Buildkite. CVE Severity Affects -CVSS score -Vector +CVSS2 score (vector) {{ range $f := .FindingSummary.Details | sortFindings }} {{ template "findingName" . }} {{ $f.Severity | string | lowerCase | titleCase }} {{ $f.PackageName | nbsp }} {{ $f.PackageVersion | nbsp }} -{{ $f.CVSS2.Score | nbsp}} -{{ if $f.CVSS2.Vector }}{{ $f.CVSS2.Vector }}{{ else }} {{ end }} +{{ template "cvssScore" $f.CVSS2 }} {{ end }} @@ -76,8 +77,7 @@ be wrapped in

tag by the Markdown renderer in Buildkite. Severity Ignored until Affects -CVSS score -Vector +CVSS2 score (vector) {{ range $f := .FindingSummary.Ignored | sortFindings }} @@ -85,8 +85,7 @@ be wrapped in

tag by the Markdown renderer in Buildkite. {{ $f.Severity | string | lowerCase | titleCase }} {{ template "findingIgnore" $f.Ignore }} {{ $f.PackageName | nbsp }} {{ $f.PackageVersion | nbsp }} -{{ $f.CVSS2.Score | nbsp}} -{{ if $f.CVSS2.Vector }}{{ $f.CVSS2.Vector }}{{ else }} {{ end }} +{{ template "cvssScore" $f.CVSS2 }} {{ end }} diff --git a/src/report/annotation_test.go b/src/report/annotation_test.go index 30b3d132..7245c07a 100644 --- a/src/report/annotation_test.go +++ b/src/report/annotation_test.go @@ -71,8 +71,9 @@ func TestReports(t *testing.T) { PackageName: "5300-package", PackageVersion: "5300-version", CVSS2: finding.CVSSScore{ - Score: "10.0", - Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + Score: "10.0", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", }, }, { @@ -83,8 +84,9 @@ func TestReports(t *testing.T) { PackageName: "e2fsprogs", PackageVersion: "1.44.1-1ubuntu1.1", CVSS2: finding.CVSSScore{ - Score: "4.6", - Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + Score: "4.6", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", }, }, { @@ -95,8 +97,9 @@ func TestReports(t *testing.T) { PackageName: "5200-package", PackageVersion: "5200-version", CVSS2: finding.CVSSScore{ - Score: "10.0", - Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + Score: "10.0", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", }, }, }, @@ -130,8 +133,9 @@ func TestReports(t *testing.T) { PackageName: "e2fsprogs", PackageVersion: "1.44.1-1ubuntu1.1", CVSS2: finding.CVSSScore{ - Score: "4.6", - Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + Score: "4.6", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", }, }, { @@ -142,8 +146,9 @@ func TestReports(t *testing.T) { PackageName: "5200-package", PackageVersion: "5200-version", CVSS2: finding.CVSSScore{ - Score: "10.0", - Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + Score: "10.0", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", }, }, }, @@ -156,8 +161,9 @@ func TestReports(t *testing.T) { PackageName: "100-package", PackageVersion: "100-version", CVSS2: finding.CVSSScore{ - Score: "4.0", - Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + Score: "4.0", + Vector: "AV:L/AC:L/Au:N/C:P/I:P/A:P", + VectorURL: "https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=%28AV%3AL%2FAC%3AL%2FAu%3AN%2FC%3AP%2FI%3AP%2FA%3AP%29", }, Ignore: &findingconfig.Ignore{ ID: "CVE-2023-100", diff --git a/src/report/testdata/TestReports/findings_included.golden b/src/report/testdata/TestReports/findings_included.golden index b52f2e09..53da65ba 100644 --- a/src/report/testdata/TestReports/findings_included.golden +++ b/src/report/testdata/TestReports/findings_included.golden @@ -44,6 +44,7 @@ +

Vulnerability details
@@ -53,32 +54,28 @@ CVE Severity Affects -CVSS score -Vector +CVSS2 score (vector)
CVE-2019-5200
Another vulnerability.
Critical 5200-package 5200-version -10.0 -AV:L/AC:L/Au:N/C:P/I:P/A:P +10.0 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2019-5188
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
High e2fsprogs 1.44.1-1ubuntu1.1 -4.6 -AV:L/AC:L/Au:N/C:P/I:P/A:P +4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2019-5300
Another vulnerability.
Aa-Bogus-Severity 5300-package 5300-version -10.0 -AV:L/AC:L/Au:N/C:P/I:P/A:P +10.0 (AV:L/AC:L/Au:N/C:P/I:P/A:P) diff --git a/src/report/testdata/TestReports/image_label.golden b/src/report/testdata/TestReports/image_label.golden index 42a08899..0065eb83 100644 --- a/src/report/testdata/TestReports/image_label.golden +++ b/src/report/testdata/TestReports/image_label.golden @@ -14,6 +14,7 @@ +

scan completed: | source updated: diff --git a/src/report/testdata/TestReports/no_vulnerabilities.golden b/src/report/testdata/TestReports/no_vulnerabilities.golden index 357825e5..c56dd03c 100644 --- a/src/report/testdata/TestReports/no_vulnerabilities.golden +++ b/src/report/testdata/TestReports/no_vulnerabilities.golden @@ -13,6 +13,7 @@ +

scan completed: | source updated: diff --git a/src/report/testdata/TestReports/some_findings_ignored.golden b/src/report/testdata/TestReports/some_findings_ignored.golden index 80e5bb98..586e4162 100644 --- a/src/report/testdata/TestReports/some_findings_ignored.golden +++ b/src/report/testdata/TestReports/some_findings_ignored.golden @@ -44,6 +44,7 @@ +

Vulnerability details
@@ -53,24 +54,21 @@ CVE Severity Affects -CVSS score -Vector +CVSS2 score (vector)
CVE-2019-5200
Another vulnerability.
Critical 5200-package 5200-version -10.0 -AV:L/AC:L/Au:N/C:P/I:P/A:P +10.0 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CVE-2019-5188
A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4. A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability.
High e2fsprogs 1.44.1-1ubuntu1.1 -4.6 -AV:L/AC:L/Au:N/C:P/I:P/A:P +4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P) @@ -85,8 +83,7 @@ Severity Ignored until Affects -CVSS score -Vector +CVSS2 score (vector) @@ -94,8 +91,7 @@ Critical
2023-12-31
Ignored to give the base image a chance to be updated
5300-package 5300-version -10.0 -AV:L/AC:L/Au:N/C:P/I:P/A:P +10.0 (AV:L/AC:L/Au:N/C:P/I:P/A:P) @@ -103,8 +99,7 @@ Low
(indefinitely)
100-package 100-version -4.0 -AV:L/AC:L/Au:N/C:P/I:P/A:P +4.0 (AV:L/AC:L/Au:N/C:P/I:P/A:P)