search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.05k stars 336 forks source link

Include CVSS MaxSeverity in JSON output #495

Open yene opened 11 months ago

yene commented 11 months ago

feature request

The markdown and table output include a CVSS score, calculated by MaxSeverity(). It would be really handy to have this score in the results[].packages[].vulnerabilities[] object for easy scripting against the output.

Note: Since the severity score is so hard to read for humans, maybe max severity should be part of the Vulnerability struct.

thank you

oliverchang commented 10 months ago

@another-rex does this seem like something that would fit under "groups" ?

yene commented 5 months ago

@oliverchang please consider this issue, it would enable scripting in build pipelines, something like osv-scanner -r -json --format json | jq '.[]....score >= 9' osv-scanner -r -json --format json | jq '.[]....severity == critical'

thank you for your time.

AppleGamer22 commented 5 months ago

Hi there.

I'd be happy to jump into this issue and suggest changes to the structs and JSON generation.

Kind regards, Omri

another-rex commented 5 months ago

Happy to take contributions!,

I think this is a pretty good idea to put the MaxSeverity calculation directly onto the Group struct, I just haven't had time to do it yet.