Skip to content

Commit 57c43bf

Browse files
committed
fix(scanoss): Also take EPSS scores as references
Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.io>
1 parent e73bcb7 commit 57c43bf

2 files changed

Lines changed: 29 additions & 17 deletions

File tree

plugins/advisors/scanoss/src/funTest/kotlin/ScanOssFunTest.kt

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -97,10 +97,10 @@ class ScanOssFunTest : WordSpec({
9797
vulnerability.references.find {
9898
it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2023-2976"
9999
} shouldNotBeNull {
100-
scoringSystem should beNull()
101-
severity shouldBe "MEDIUM"
102-
score should beNull()
103-
vector should beNull()
100+
scoringSystem shouldBe "EPSS"
101+
severity should beNull()
102+
score shouldBe 6.5E-4f
103+
vector shouldBe "0.20002"
104104
}
105105
}
106106
}
@@ -124,10 +124,10 @@ class ScanOssFunTest : WordSpec({
124124
vulnerability.references.find {
125125
it.url.toString() == "https://nvd.nist.gov/vuln/detail/CVE-2024-48948"
126126
} shouldNotBeNull {
127-
scoringSystem should beNull()
128-
severity shouldBe "MEDIUM"
129-
score should beNull()
130-
vector should beNull()
127+
scoringSystem shouldBe "EPSS"
128+
severity should beNull()
129+
score shouldBe 0.00162f
130+
vector shouldBe "0.3665"
131131
}
132132
}
133133
}

plugins/advisors/scanoss/src/main/kotlin/ScanOss.kt

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -121,19 +121,31 @@ private fun V2Vulnerability.toOrtVulnerability(): Vulnerability? {
121121
val vulnId = id ?: cve ?: return null
122122
val infoUrl = url?.let { URI(it) } ?: return null
123123

124+
val references = cvss.mapTo(mutableListOf()) { info ->
125+
VulnerabilityReference(
126+
url = infoUrl,
127+
scoringSystem = info.cvss?.substringBefore('/', "")?.ifEmpty { null },
128+
severity = info.cvss_severity,
129+
score = info.cvss_score,
130+
vector = info.cvss
131+
)
132+
}
133+
134+
epss?.also {
135+
references += VulnerabilityReference(
136+
url = infoUrl,
137+
scoringSystem = "EPSS",
138+
severity = null,
139+
score = it.probability,
140+
vector = it.percentile?.toString()
141+
)
142+
}
143+
124144
return Vulnerability(
125145
id = vulnId,
126146
summary = summary,
127147
// TODO: Get a more detailed description.
128-
references = cvss.map { info ->
129-
VulnerabilityReference(
130-
url = infoUrl,
131-
scoringSystem = info.cvss?.substringBefore('/', "")?.ifEmpty { null },
132-
severity = info.cvss_severity,
133-
score = info.cvss_score,
134-
vector = info.cvss
135-
)
136-
}.ifEmpty {
148+
references = references.ifEmpty {
137149
listOf(
138150
VulnerabilityReference(
139151
url = infoUrl,

0 commit comments

Comments
 (0)