Skip to content

feat(osv): add CVSSv4 support in OSV parser#635

Merged
knqyf263 merged 3 commits intomainfrom
ghsa_v4
Feb 18, 2026
Merged

feat(osv): add CVSSv4 support in OSV parser#635
knqyf263 merged 3 commits intomainfrom
ghsa_v4

Conversation

@knqyf263
Copy link
Collaborator

@knqyf263 knqyf263 commented Feb 18, 2026

Summary

  • Add CVSSv4 (CVSS_V4) parsing to the OSV severity parser
  • The DB layer already has CvssScoreV40/CvssVectorV40 fields (used by NVD), but the OSV parser only handled CVSS_V3
  • Refactor parseSeverity into parseSeverities returning both V3 and V40 results
  • Map the new fields to types.VulnerabilityDetail

Verification

Built DB with GHSA data and confirmed CVSSv4 fields are stored:

$ go run ./cmd/trivy-db build --only-update ghsa --cache-dir /tmp/trivy-db-test --output-dir /tmp/trivy-db-out

$ bbolt get /tmp/trivy-db-out/trivy.db vulnerability CVE-2026-21860 | jq .
{
  "Title": "Werkzeug safe_join() allows Windows special device names with compound extensions",
  "Description": "Werkzeug's `safe_join` function allows path segments with Windows device names that have file extensions or trailing spaces.",
  "Severity": "MEDIUM",
  "VendorSeverity": {
    "ghsa": 2
  },
  "CVSS": {
    "ghsa": {
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "V3Score": 5.3,
      "V40Score": 6.3
    }
  },
  "References": [
    "https://github.com/pallets/werkzeug/security/advisories/GHSA-87hc-h4r5-73f7",
    "https://nvd.nist.gov/vuln/detail/CVE-2026-21860"
  ]
}

@knqyf263 knqyf263 self-assigned this Feb 18, 2026
@knqyf263 knqyf263 marked this pull request as ready for review February 18, 2026 06:53
DmitriyLewen
DmitriyLewen approved these changes Feb 18, 2026
View reviewed changes
Copy link
Contributor

@DmitriyLewen DmitriyLewen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

left one small comment.

Also, I think, it make sense to change the PR title scope from ghsa to osv.

pkg/vulnsrc/ghsa/ghsa_test.go
Copy link
Contributor

@DmitriyLewen DmitriyLewen Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:
Since you are updating the code in the osv package, I think it would be better to add the tests there as well.

CVSS_V4 is a standard OSV severity type.
This is not unique to GHSA, so other sources will also use these new values.

e.g.:

➜ bbolt get ./trivy.db vulnerability CVE-2025-26625 | jq .CVSS
{
  "bitnami": {
    "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
    "V40Score": 8.6
  },
  "ghsa": {
    "V40Vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
    "V40Score": 8.6
  },
  "redhat": {
    "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
    "V3Score": 8.1
  }
}

@knqyf263
refactor: move CVSSv4 test from ghsa to osv package
ff51a79 
CVSS_V4 is a standard OSV severity type, not unique to GHSA.
Move the test and test data to the osv package where the parsing
logic lives.
@knqyf263 knqyf263 changed the title feat(ghsa): add CVSSv4 support in OSV parser feat(osv): add CVSSv4 support in OSV parser Feb 18, 2026
@knqyf263 knqyf263 added this pull request to the merge queue Feb 18, 2026
Merged via the queue into main with commit 21d17c3 Feb 18, 2026
6 checks passed
@knqyf263 knqyf263 deleted the ghsa_v4 branch February 18, 2026 11:42
@DmitriyLewen DmitriyLewen mentioned this pull request Feb 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmitriyLewen DmitriyLewen DmitriyLewen approved these changes

Assignees

@knqyf263 knqyf263

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@knqyf263 @DmitriyLewen

Comments