Use NVD CVSS score

pkg/scanner/ospkg/scan.go

@@ -1,7 +1,6 @@
 package ospkg
 
 import (
-	"github.com/k0kubun/pp"
 	"github.com/knqyf263/fanal/analyzer"
 	_ "github.com/knqyf263/fanal/analyzer/command/apk"
 	fos "github.com/knqyf263/fanal/analyzer/os"
@@ -58,7 +57,6 @@ func Scan(files extractor.FileMap) (string, string, []types.Vulnerability, error
 
 	pkgs = mergePkgs(pkgs, pkgsFromCommands)
 	log.Logger.Debugf("the number of packages: %d", len(pkgs))
-	pp.Println(pkgs)
 
 	vulns, err := s.Detect(os.Name, pkgs)
 	if err != nil {

pkg/scanner/scan.go

@@ -167,14 +167,14 @@ func getSeverity(details map[string]vulnerability.Vulnerability) vulnerability.S
 		if !ok {
 			continue
 		}
-		if d.Severity != 0 {
-			return d.Severity
-		} else if d.SeverityV3 != 0 {
-			return d.SeverityV3
-		} else if d.CvssScore > 0 {
+		if d.CvssScore > 0 {
 			return scoreToSeverity(d.CvssScore)
 		} else if d.CvssScoreV3 > 0 {
 			return scoreToSeverity(d.CvssScoreV3)
+		} else if d.Severity != 0 {
+			return d.Severity
+		} else if d.SeverityV3 != 0 {
+			return d.SeverityV3
 		}
 	}
 	return vulnerability.SeverityUnknown

pkg/vulnsrc/nvd/nvd.go

@@ -77,6 +77,8 @@ func save(items []Item) error {
 			}
 
 			vuln := vulnerability.Vulnerability{
+				CvssScore:   item.Impact.BaseMetricV2.CvssV2.BaseScore,
+				CvssScoreV3: item.Impact.BaseMetricV3.CvssV3.BaseScore,
 				Severity:    severity,
 				SeverityV3:  severityV3,
 				References:  references,

pkg/vulnsrc/nvd/types.go

@@ -25,14 +25,20 @@ type Impact struct {
 }
 
 type BaseMetricV2 struct {
+	CvssV2   CvssV2
 	Severity string
 }
 
+type CvssV2 struct {
+	BaseScore float64
+}
+
 type BaseMetricV3 struct {
 	CvssV3 CvssV3
 }
 
 type CvssV3 struct {
+	BaseScore    float64
 	BaseSeverity string
 }