From d7710387a9d1a2b38389e9c49686b417fcf544ea Mon Sep 17 00:00:00 2001 From: Michael Long <31821088+bluesentinelsec@users.noreply.github.com> Date: Tue, 17 Sep 2024 14:48:06 -0400 Subject: [PATCH] Extend vulnerability severity providers (#98) * Add severity providers: GHSA, GitLab * Add severity providers: GHSA, GitLab * Add REDHAT_CVE and UBUNTU_CVE providers * rename GHSA to GITHUB --------- Co-authored-by: Michael Long --- entrypoint/entrypoint/pkg_vuln.py | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/entrypoint/entrypoint/pkg_vuln.py b/entrypoint/entrypoint/pkg_vuln.py index e9f19d0..bf3ff91 100644 --- a/entrypoint/entrypoint/pkg_vuln.py +++ b/entrypoint/entrypoint/pkg_vuln.py @@ -15,10 +15,32 @@ class CvssSourceProvider: NVD = "NVD" MITRE = "MITRE" + GITHUB = "GITHUB" + GITLAB = "GITLAB" + REDHAT_CVE = "REDHAT_CVE" + UBUNTU_CVE = "UBUNTU_CVE" AMAZON_INSPECTOR = "AMAZON_INSPECTOR" - DEFAULT_PROVIDER = NVD +def get_rating_providers(): + """ + get_rating_providers returns a list of vulnerability + severity providers. The action uses this information + to determine which vuln severity to render when + multiple severity values are present from different + vendors. See the function definition to view the + order in which severity providers are preferred. + """ + + # NVD is most preferred, followed by everything + # else in the order listed. + providers = [CvssSourceProvider.NVD, + CvssSourceProvider.MITRE, + CvssSourceProvider.GITHUB, + CvssSourceProvider.GITLAB, + CvssSourceProvider.AMAZON_INSPECTOR + ] + return providers class CvssSeverity: UNTRIAGED = "untriaged" @@ -255,7 +277,7 @@ def get_cwes(v) -> str: def get_cvss_rating(ratings, vulnerability) -> CvssRating: - rating_provider_priority = [CvssSourceProvider.NVD, CvssSourceProvider.MITRE, CvssSourceProvider.AMAZON_INSPECTOR] + rating_provider_priority = get_rating_providers() for provider in rating_provider_priority: for rating in ratings: if rating["source"]["name"] != provider: