func convertOccurrence()

in pkg/vul/convert/grype/grype.go [64:150]

• 74 lines of code
• 12 McCabe index (conditional complexity)

func convertOccurrence(s *utils.Source, v *gabs.Container, noteID string) *g.Occurrence {
	noteName := fmt.Sprintf("projects/%s/notes/%s", s.Project, noteID)

	// nvd vulnerability
	rvList := v.Search("relatedVulnerabilities").Children()
	var rv *gabs.Container
	for _, rvNode := range rvList {
		if rvNode.Search("namespace").Data().(string) == "nvd:cpe" {
			rv = rvNode
			break
		}
	}
	if rv == nil {
		return nil
	}
	cve := rv.Search("id").Data().(string)

	// cvssv2
	cvssList := rv.Search("cvss").Children()
	var cvss2, cvss3 *gabs.Container
	for _, cvss := range cvssList {
		switch cvss.Search("version").Data().(string) {
		case "2.0":
			cvss2 = cvss
		case "3.0", "3.1":
			cvss3 = cvss
		}
	}
	if cvss2 == nil {
		return nil
	}

	// Create Occurrence
	o := g.Occurrence{
		ResourceUri: fmt.Sprintf("https://%s", s.URI),
		NoteName:    noteName,
		Details: &g.Occurrence_Vulnerability{
			Vulnerability: &g.VulnerabilityOccurrence{
				ShortDescription: cve,
				LongDescription:  rv.Search("description").Data().(string),
				RelatedUrls: []*g.RelatedUrl{
					{
						Label: "Registry",
						Url:   s.URI,
					},
				},
				CvssVersion: g.CVSSVersion_CVSS_VERSION_2,
				CvssScore:   utils.ToFloat32(cvss2.Search("metrics", "baseScore").Data()),
				Severity:    utils.ToGrafeasSeverity(rv.Search("severity").Data().(string)),
				// TODO: What is the difference between severity and effective severity?
				EffectiveSeverity: utils.ToGrafeasSeverity(rv.Search("severity").Data().(string)),
			}},
	}

	// PackageIssues
	if len(v.Search("vulnerability", "fix", "versions").Children()) == 0 {
		o.GetVulnerability().PackageIssue = append(
			o.GetVulnerability().PackageIssue,
			getBasePackageIssue(v))
	} else {
		for _, version := range v.Search("vulnerability", "fix", "versions").Children() {
			pi := getBasePackageIssue(v)
			pi.FixedVersion = &g.Version{
				Name: version.Data().(string),
				Kind: g.Version_NORMAL,
			}
			o.GetVulnerability().PackageIssue = append(o.GetVulnerability().PackageIssue, pi)
		}
	}

	// CVSSv3
	if cvss3 != nil {
		o.GetVulnerability().Cvssv3 = utils.ToCVSS(
			utils.ToFloat32(cvss3.Search("metrics", "baseScore").Data()),
			cvss3.Search("vector").Data().(string),
		)
	}

	// References
	for _, r := range rv.Search("urls").Children() {
		o.GetVulnerability().RelatedUrls = append(o.GetVulnerability().RelatedUrls, &g.RelatedUrl{
			Url:   r.Data().(string),
			Label: "Url",
		})
	}
	return &o
}