in pkg/vul/convert/snyk/snyk.go [124:192]
func convertOccurrence(s *utils.Source, v *gabs.Container, noteID string) *g.Occurrence {
cve := v.Search("identifiers", "CVE").Index(0).Data().(string)
noteName := fmt.Sprintf("projects/%s/notes/%s", s.Project, noteID)
// Get cvss3 details from NVD
var cvss3 *gabs.Container
for _, detail := range v.Search("cvssDetails").Children() {
if utils.ToString(detail.Search("assigner").Data()) == "NVD" {
cvss3 = detail
}
}
if cvss3 == nil {
return nil
}
// Create Occurrence
o := g.Occurrence{
ResourceUri: fmt.Sprintf("https://%s", s.URI),
NoteName: noteName,
Details: &g.Occurrence_Vulnerability{
Vulnerability: &g.VulnerabilityOccurrence{
ShortDescription: cve,
LongDescription: utils.ToString(v.Search("CVSSv3").Data()),
RelatedUrls: []*g.RelatedUrl{
{
Label: "Registry",
Url: s.URI,
},
},
CvssVersion: g.CVSSVersion_CVSS_VERSION_3,
CvssScore: utils.ToFloat32(cvss3.Search("cvssV3BaseScore").Data()),
// TODO: Set PackageType
PackageIssue: []*g.VulnerabilityOccurrence_PackageIssue{{
AffectedCpeUri: makeCPE(v),
AffectedPackage: v.Search("packageName").Data().(string),
AffectedVersion: &g.Version{
Name: v.Search("version").Data().(string),
Kind: g.Version_NORMAL,
},
FixedCpeUri: makeCPE(v),
FixedPackage: v.Search("packageName").Data().(string),
FixedVersion: &g.Version{
Kind: g.Version_MAXIMUM,
},
}},
Severity: utils.ToGrafeasSeverity(v.Search("nvdSeverity").Data().(string)),
// TODO: What is the difference between severity and effective severity?
EffectiveSeverity: utils.ToGrafeasSeverity(v.Search("nvdSeverity").Data().(string)),
}},
}
// CVSSv3
if cvss3.Search("cvssV3Vector").Data() != nil {
o.GetVulnerability().Cvssv3 = utils.ToCVSS(
utils.ToFloat32(cvss3.Search("cvssV3BaseScore").Data()),
cvss3.Search("cvssV3Vector").Data().(string),
)
}
// References
for _, r := range v.Search("references").Children() {
o.GetVulnerability().RelatedUrls = append(o.GetVulnerability().RelatedUrls, &g.RelatedUrl{
Url: r.Search("url").Data().(string),
Label: r.Search("title").Data().(string),
})
}
return &o
}