fix: EPSS Score Issues (#104)

* EPSS enrichment feeds off Vulnerability.Cve * Adds Cve field to osv vulnerability output * Fixes Snyk EPSS scores * Fixes snyk test case * Added more test cases for markdownToHTML
devops-kung-fu · Dec 22, 2022 · 9ee85bb · 9ee85bb
1 parent c8a0f6b
commit 9ee85bb
Show file tree

Hide file tree

Showing 11 changed files with 138 additions and 97 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -5,6 +5,7 @@
     "version": "0.2.0",
     "configurations": [    
 
+
         {
             "name": "Debug Folder (OSV)",
             "type": "go",
@@ -27,7 +28,15 @@
             "request": "launch",
             "mode": "auto",
             "program": "${workspaceFolder}/main.go",
-            "args": ["--provider=osv", "--debug=true", "--provider=ossindex", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+            "args": ["--debug=true", "--provider=ossindex", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
+        },
+        {
+            "name": "Debug File (Snyk - juiceshop)",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/main.go",
+            "args": ["--provider=snyk", "--debug=true", "scan", "./sbom/test/juiceshop.cyclonedx.json"]
         },
         {
             "name": "Debug File (OSV - juiceshop)",

diff --git a/go.mod b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/spf13/afero v1.9.3
 	github.com/spf13/cobra v1.6.1
 	github.com/stretchr/testify v1.8.1
-	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
+	k8s.io/utils v0.0.0-20221128185143-99ec85e7a448
 )
 
 require (
@@ -25,7 +25,7 @@ require (
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/gomarkdown/markdown v0.0.0-20221013030248-663e2500819c
 	github.com/gorilla/css v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
@@ -35,9 +35,9 @@ require (
 	github.com/rivo/uniseg v0.4.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	golang.org/x/net v0.2.0 // indirect
-	golang.org/x/sys v0.2.0 // indirect
-	golang.org/x/text v0.4.0 // indirect
+	golang.org/x/net v0.4.0 // indirect
+	golang.org/x/sys v0.3.0 // indirect
+	golang.org/x/text v0.5.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
@@ -136,8 +136,9 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
-github.com/inconshreveable/mousetrap v1.0.1 h1:U3uMjPSQEBMNp1lFxmllqCPM6P5u/Xq7Pgzkat/bFNc=
 github.com/inconshreveable/mousetrap v1.0.1/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jarcoal/httpmock v1.2.0 h1:gSvTxxFR/MEMfsGrvRbdfpRUMBStovlSRLw0Ep1bwwc=
 github.com/jarcoal/httpmock v1.2.0/go.mod h1:oCoTsnAz4+UoOUIf5lJOWV2QQIW5UoeUI6aM2YnWAZk=
 github.com/jedib0t/go-pretty/v6 v6.4.3 h1:2n9BZ0YQiXGESUSR+6FLg0WWWE80u+mIz35f0uHWcIE=
@@ -287,8 +288,8 @@ golang.org/x/net v0.0.0-20201031054903-ff519b6c9102/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.0.0-20201209123823-ac852fbbde11/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
-golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
+golang.org/x/net v0.4.0 h1:Q5QPcMlvfxFTAPV0+07Xz/MpK9NTXu2VDUuy0FeMfaU=
+golang.org/x/net v0.4.0/go.mod h1:MBQ8lrhLObU/6UmLb4fmbmk5OcyYmqtbGd/9yIeKjEE=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -347,17 +348,17 @@ golang.org/x/sys v0.0.0-20210423185535-09eb48e85fd7/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
-golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.3.0 h1:w8ZOecv6NaNa/zC8944JTU3vz4u6Lagfk4RPQxv92NQ=
+golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
-golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.5.0 h1:OLmvp0KP+FVG99Ct/qFiL/Fhk4zp4QQnZ7b2U+5piUM=
+golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -516,8 +517,8 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
-k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2 h1:GfD9OzL11kvZN5iArC6oTS7RTj7oJOIfnislxYlqTj8=
-k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+k8s.io/utils v0.0.0-20221128185143-99ec85e7a448 h1:KTgPnR10d5zhztWptI952TNtt/4u5h3IzDXkdIMuo2Y=
+k8s.io/utils v0.0.0-20221128185143-99ec85e7a448/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
diff --git a/lib/enrichment/epss.go b/lib/enrichment/epss.go
@@ -17,7 +17,7 @@ const epssBaseURL = "https://api.first.org/data/v1/epss?cve="
 func Enrich(vulnerabilities []models.Vulnerability) (enriched []models.Vulnerability, err error) {
 	identifiers := []string{}
 	for _, v := range vulnerabilities {
-		identifiers = append(identifiers, v.ID)
+		identifiers = append(identifiers, v.Cve)
 	}
 	req := HttpRequest.NewRequest()
 	resp, _ := req.JSON().Get(fmt.Sprintf("%s%s", epssBaseURL, strings.Join(identifiers, ",")))
@@ -38,7 +38,7 @@ func Enrich(vulnerabilities []models.Vulnerability) (enriched []models.Vulnerabi
 
 		for i, v := range vulnerabilities {
 			for _, sv := range epss.Scores {
-				if sv.Cve == v.ID {
+				if sv.Cve == v.Cve {
 					vulnerabilities[i].Epss = sv
 				}
 			}

diff --git a/lib/enrichment/epss_test.go b/lib/enrichment/epss_test.go
@@ -11,16 +11,16 @@ import (
 func TestEnrich(t *testing.T) {
 	vulnerabilities := []models.Vulnerability{
 		{
-			ID: "CVE-2021-43138",
+			Cve: "CVE-2021-43138",
 		},
 		{
-			ID: "CVE-2020-15084",
+			Cve: "CVE-2020-15084",
 		},
 		{
-			ID: "CVE-2020-28282",
+			Cve: "CVE-2020-28282",
 		},
 		{
-			ID: "sonatype-2020-1214",
+			Cve: "sonatype-2020-1214",
 		},
 	}
 	enriched, err := Enrich(vulnerabilities)

diff --git a/models/structs.go b/models/structs.go
@@ -21,6 +21,7 @@ type Vulnerability struct {
 	CvssScore          float64       `json:"cvssScore,omitempty"`
 	CvssVector         string        `json:"cvssVector,omitempty"`
 	Cwe                string        `json:"cwe,omitempty"`
+	Cve                string        `json:"cve,omitempty"`
 	Reference          string        `json:"reference,omitempty"`
 	ExternalReferences []interface{} `json:"externalReferences,omitempty"`
 	Severity           string        `json:"severity,omitempty"`

diff --git a/providers/osv/osv.go b/providers/osv/osv.go
@@ -135,6 +135,7 @@ func (Provider) Scan(purls []string, credentials *models.Credentials) (packages
 						Title:       v.Summary,
 						Description: v.Details,
 						Cwe:         strings.Join(v.DatabaseSpecific.CweIDS, ","),
+						Cve:         strings.Join(v.Aliases, ","),
 						Severity:    v.DatabaseSpecific.Severity,
 					}
 					if vuln.Severity == "" {

diff --git a/providers/snyk/vulns.go b/providers/snyk/vulns.go
@@ -203,6 +203,7 @@ func snykIssueToBomberVuln(v SnykIssueResource) models.Vulnerability {
 		Description:        v.Attributes.Description,
 		Severity:           severity,
 		Cwe:                getCwe(v),
+		Cve:                getCve(v),
 		CvssScore:          float64(cvss.Score),
 		CvssVector:         cvss.Vector,
 		Reference:          fmt.Sprintf("https://security.snyk.io/vuln/%s", v.Id),
@@ -219,6 +220,15 @@ func getCwe(i SnykIssueResource) string {
 	return ""
 }
 
+func getCve(i SnykIssueResource) string {
+	for _, p := range i.Attributes.Problems {
+		if p.Source == "CVE" {
+			return p.Id
+		}
+	}
+	return ""
+}
+
 func getCvss(i SnykIssueResource) *Severity {
 	var nvdSeverity *Severity
 	for _, ss := range i.Attributes.Severities {

diff --git a/providers/snyk/vulns_test.go b/providers/snyk/vulns_test.go
@@ -26,6 +26,7 @@ func TestGetVulnsForPurlSuccess(t *testing.T) {
 			CvssScore:  float64(7.5),
 			CvssVector: "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
 			Cwe:        "CWE-22",
+			Cve:        "CVE-2022-31163",
 			Reference:  "https://security.snyk.io/vuln/SNYK-RUBY-TZINFO-2958048",
 			ExternalReferences: []interface{}{
 				"https://github.com/tzinfo/tzinfo/releases/tag/v0.3.61",
@@ -88,6 +89,7 @@ func TestSnykIssueToBomberVuln(t *testing.T) {
 		Description: "",
 		Severity:    "HIGH",
 		Cwe:         "CWE-22",
+		Cve:         "CVE-2022-31163",
 		CvssScore:   7.5,
 		CvssVector:  "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
 		Reference:   "https://security.snyk.io/vuln/SNYK-RUBY-TZINFO-2958048",

diff --git a/renderers/html/html_test.go b/renderers/html/html_test.go
@@ -39,3 +39,20 @@ func TestRenderer_Render(t *testing.T) {
 	})
 	assert.NotNil(t, output)
 }
+
+func Test_markdownToHTML(t *testing.T) {
+	packages := []models.Package{
+		{
+			Vulnerabilities: []models.Vulnerability{
+				{
+					Description: "## test",
+				},
+			},
+		},
+	}
+	results := models.NewResults(packages, models.Summary{}, []models.ScannedFile{}, []string{"GPL"}, "0.0.0", "test")
+	markdownToHTML(results)
+
+	assert.NotNil(t, results)
+	assert.Equal(t, "<h2>test</h2>\n", results.Packages[0].Vulnerabilities[0].Description)
+}