navzen2000
commented
2 years ago @zhill Please have a look.
Open navzen2000 opened 2 years ago
navzen2000
commented
2 years ago @zhill Please have a look.
navzen2000
commented
2 years ago @zhill @dspalmer99 Quick update: We are able to modify code to extract vectorString in below file anchore_engine/services/apiext/api/controllers/utils.py
However, we see that the feed information does not contain the publishedDate metadata that can be used while generating the report. Any inputs will help.
Is this a request for help?:
Is this a BUG REPORT or a FEATURE REQUEST? (choose one): FEATURE REQUEST
Version of Anchore Engine and Anchore CLI if applicable:
What happened:
What did you expect to happen:
Any relevant log output from /var/log/anchore:
What docker images are you using:
How to reproduce the issue:
Anything else we need to know:
Currently the json report structure looks like:
"vulnerabilities": [ { "feed": "vulnerabilities", "feed_group": "github:java", "fix": "2.17.1", "nvd_data": [ { "cvss_v2": { "base_score": 6.0, "exploitability_score": 6.8, "impact_score": 6.4 }, "cvss_v3": { "base_score": 6.6, "exploitability_score": 0.7, "impact_score": 5.9 }, "id": "CVE-2021-44832" } ], "package": "log4j-api-2.17.0", "package_cpe": "None", "package_cpe23": "None", "package_name": "log4j-api", "package_path": "/path", "package_type": "java", "package_version": "2.17.0", "severity": "Medium", "url": "https://github.com/advisories/GHSA-8489-44mv-ggj8", "vendor_data": [], "vuln": "GHSA-8489-44mv-ggj8", "will_not_fix": false },
It will be helpful if below strings can be added from the nvd data
"vectorString":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "publishedDate":"2021-12-28T20:15Z
Source: https://services.nvd.nist.gov/rest/json/cve/1.0/CVE-2021-44832