in pkg/vul/convert/grype/grype.go [152:225]
func convertNote(s *utils.Source, v *gabs.Container) *g.Note {
// nvd vulnerability
rvList := v.Search("relatedVulnerabilities").Children()
var rv *gabs.Container
for _, rvNode := range rvList {
if rvNode.Search("namespace").Data().(string) == "nvd:cpe" {
rv = rvNode
break
}
}
if rv == nil {
return nil
}
cve := rv.Search("id").Data().(string)
// cvssv2
cvssList := rv.Search("cvss").Children()
var cvss2, cvss3 *gabs.Container
for _, cvss := range cvssList {
switch cvss.Search("version").Data().(string) {
case "2.0":
cvss2 = cvss
case "3.0", "3.1":
cvss3 = cvss
}
}
if cvss2 == nil {
return nil
}
// create note
n := g.Note{
ShortDescription: cve,
LongDescription: rv.Search("description").Data().(string),
RelatedUrl: []*g.RelatedUrl{
{
Label: "Registry",
Url: s.URI,
},
},
Type: &g.Note_Vulnerability{
Vulnerability: &g.VulnerabilityNote{
CvssVersion: g.CVSSVersion_CVSS_VERSION_2,
CvssScore: utils.ToFloat32(cvss2.Search("metrics", "baseScore").Data()),
// Details in Notes are not populated since we will never see the full list
Details: []*g.VulnerabilityNote_Detail{
{
AffectedCpeUri: "N/A",
AffectedPackage: "N/A",
},
},
Severity: utils.ToGrafeasSeverity(rv.Search("severity").Data().(string)),
},
},
} // end note
// CVSSv3
if cvss3 != nil {
n.GetVulnerability().CvssV3 = utils.ToCVSSv3(
utils.ToFloat32(cvss3.Search("metrics", "baseScore").Data()),
cvss3.Search("vector").Data().(string),
)
}
// References
for _, r := range rv.Search("urls").Children() {
n.RelatedUrl = append(n.RelatedUrl, &g.RelatedUrl{
Url: r.Data().(string),
Label: "Url",
})
}
return &n
}