Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to parse the cvss3 score in the securityhub #20269

Closed
stonezdj opened this issue Apr 12, 2024 · 0 comments · Fixed by #20274
Closed

Failed to parse the cvss3 score in the securityhub #20269

stonezdj opened this issue Apr 12, 2024 · 0 comments · Fixed by #20274
Assignees
@wy65701436
Labels
area/security-hub kind/bug target/2.11.0

Comments

@stonezdj
Copy link
Contributor

Current Harbor uses the nvd cvss3 score as the CVE score, but sometimes only redhat score is returned.

Original

{
  "CVSS": {
    "nvd": {
      "V2Score": 7.5,
      "V2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
      "V3Score": 9.8,
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
    },
    "redhat": {
      "V3Score": 3.7,
      "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
    }
  }
}

Sometimes only redhat returned.

{
  "CVSS": {
    "redhat": {
      "V3Score": 6.5,
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
    }
  }
}

Need to change the following code

harbor/src/pkg/scan/postprocessors/report_converters.go

Lines 357 to 378 in b38de22

// CVSS ...
type CVSS struct {
NVD Nvd `json:"nvd"`
}
// Nvd ...
type Nvd struct {
V3Score float64 `json:"V3Score"`
}
func parseScoreFromVendorAttribute(ctx context.Context, vendorAttribute string) (NvdV3Score float64) {
var data map[string]CVSS
err := json.Unmarshal([]byte(vendorAttribute), &data)
if err != nil {
log.G(ctx).Errorf("failed to parse vendor_attribute, error %v", err)
return 0
}
if cvss, ok := data["CVSS"]; ok {
return cvss.NVD.V3Score
}
return 0
}
to fallback to redhat if nvd doesn't exist.
wy65701436 added a commit to wy65701436/harbor that referenced this issue Apr 15, 2024
@wy65701436
fix issue 20269
68e9332 
By default, use the nvd score as the primary score, and if it is unavailable, fallback to the redhat score.
fix goharbor#20269

Signed-off-by: wang yan <wangyan@vmware.com>
@wy65701436 wy65701436 mentioned this issue Apr 15, 2024
Merged
5 tasks
wy65701436 added a commit to wy65701436/harbor that referenced this issue Apr 16, 2024
@wy65701436
fix issue 20269
7975eca 
By default, use the nvd score as the primary score, and if it is unavailable, fallback to the redhat score.
fix goharbor#20269

Signed-off-by: wang yan <wangyan@vmware.com>
wy65701436 added a commit to wy65701436/harbor that referenced this issue Apr 16, 2024
@wy65701436
fix issue 20269
6b5fcc3 
By default, use the nvd score as the primary score, and if it is unavailable, fallback to the redhat score.
fix goharbor#20269

Signed-off-by: wang yan <wangyan@vmware.com>
wy65701436 added a commit that referenced this issue Apr 16, 2024
@wy65701436
fix issue 20269 (#20274)
550bf1d 
By default, use the nvd score as the primary score, and if it is unavailable, fallback to the redhat score.
fix #20269

Signed-off-by: wang yan <wangyan@vmware.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wy65701436 wy65701436

Labels
area/security-hub kind/bug target/2.11.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix issue 20269 wy65701436/harbor
2 participants
@stonezdj @wy65701436