feat(detector, contrib/trivy-to-vuls): collect vendor severity and cvss

[MaineK00n]

What did you implement:

Fixes #1919

Type of change

• New feature (non-breaking change which adds functionality)

How Has This Been Tested?

vuls lockfile scan

• config.toml

[servers.pseudo]
type = "pseudo"
lockfiles = ["integration/data/lockfile/juddiv3-war-3.3.5.war"]

before

$ vuls scan
$ vuls report --refresh-cve
$ cat results/2024-05-16T00-24-28+0900/pseudo.json | jq '.scannedCves."CVE-2022-22965".cveContents[][] | {type,cveID,cvss2Score,cvss2Vector,cvss2Severity,cvss3Score,cvss3Vector,cvss3Severity}'
{
  "type": "nvd",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 7.5,
  "cvss2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
  "cvss2Severity": "HIGH",
  "cvss3Score": 9.8,
  "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cvss3Severity": "CRITICAL"
}
{
  "type": "nvd",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 0,
  "cvss3Vector": "",
  "cvss3Severity": ""
}
{
  "type": "trivy",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 0,
  "cvss3Vector": "",
  "cvss3Severity": "CRITICAL"
}

after

$ vuls scan
$ vuls report --refresh-cve
$ cat results/2024-05-16T00-24-28+0900/pseudo.json | jq '.scannedCves."CVE-2022-22965".cveContents[][] | {type,cveID,cvss2Score,cvss2Vector,cvss2Severity,cvss3Score,cvss3Vector,cvss3Severity}'
{
  "type": "nvd",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 7.5,
  "cvss2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
  "cvss2Severity": "HIGH",
  "cvss3Score": 9.8,
  "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cvss3Severity": "CRITICAL"
}
{
  "type": "nvd",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 0,
  "cvss3Vector": "",
  "cvss3Severity": ""
}
{
  "type": "trivy:ghsa",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 9.8,
  "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cvss3Severity": ""
}
{
  "type": "trivy:ghsa",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 0,
  "cvss3Vector": "",
  "cvss3Severity": "CRITICAL"
}
{
  "type": "trivy:nvd",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 7.5,
  "cvss2Vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
  "cvss2Severity": "",
  "cvss3Score": 9.8,
  "cvss3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cvss3Severity": ""
}
{
  "type": "trivy:nvd",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 0,
  "cvss3Vector": "",
  "cvss3Severity": "CRITICAL"
}
{
  "type": "trivy:redhat",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 8.1,
  "cvss3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
  "cvss3Severity": ""
}
{
  "type": "trivy:redhat",
  "cveID": "CVE-2022-22965",
  "cvss2Score": 0,
  "cvss2Vector": "",
  "cvss2Severity": "",
  "cvss3Score": 0,
  "cvss3Vector": "",
  "cvss3Severity": "HIGH"
}

vuls tui

trivy-to-vuls

unit test: contrib/trivy/parser/v2/parser_test.go

Checklist:

You don't have to satisfy all of the following.

• Write tests
• Write documentation
• Check that there aren't other open pull requests for the same issue/feature
• Format your source code by make fmt
• Pass the test by make test
• Provide verification config / commands
• Enable "Allow edits from maintainers" for this PR
• Update the messages below

Is this ready for review?: YES

Reference

[shino]

Perfect!!