fix: Add support for CVSS V4 metrics in NVD conversion (google#4158)

Closes google#4157

Author: jess-lowe

vulnfeeds/cves/nvd2.go

@@ -206,17 +206,8 @@ type CVSSV2 struct {
 	UserInteractionRequired bool         `json:"userInteractionRequired,omitempty" mapstructure:"userInteractionRequired,omitempty" yaml:"userInteractionRequired,omitempty"`
 }
 
-// CVSS V3.0 score. (hand-generated)
-type CVSSV30 struct {
-	Source              string       `json:"source"                        mapstructure:"source"                        yaml:"source"`
-	Type                string       `json:"type"                          mapstructure:"type"                          yaml:"type"`
-	CVSSData            CVSS         `json:"cvssData"                      mapstructure:"cvssData"                      yaml:"cvssData"`
-	ExploitabilityScore *DefSubscore `json:"exploitabilityScore,omitempty" mapstructure:"exploitabilityScore,omitempty" yaml:"exploitabilityScore,omitempty"`
-	ImpactScore         *DefSubscore `json:"impactScore,omitempty"         mapstructure:"impactScore,omitempty"         yaml:"impactScore,omitempty"`
-}
-
-// CVSS V3.1 score. (hand-generated)
-type CVSSV31 struct {
+// CVSS Score to encapsulate V3.0, V3.1, V4.0 structs
+type BaseCVSSNVD struct {
 	Source              string       `json:"source"                        mapstructure:"source"                        yaml:"source"`
 	Type                string       `json:"type"                          mapstructure:"type"                          yaml:"type"`
 	CVSSData            CVSS         `json:"cvssData"                      mapstructure:"cvssData"                      yaml:"cvssData"`
@@ -230,10 +221,13 @@ type CVEItemMetrics struct {
 	CVSSMetricV2 []CVSSV2 `json:"cvssMetricV2,omitempty" mapstructure:"cvssMetricV2,omitempty" yaml:"cvssMetricV2,omitempty"`
 
 	// CVSS V3.0 score.
-	CVSSMetricV30 []CVSSV30 `json:"cvssMetricV30,omitempty" mapstructure:"cvssMetricV30,omitempty" yaml:"cvssMetricV30,omitempty"`
+	CVSSMetricV30 []BaseCVSSNVD `json:"cvssMetricV30,omitempty" mapstructure:"cvssMetricV30,omitempty" yaml:"cvssMetricV30,omitempty"`
 
 	// CVSS V3.1 score.
-	CVSSMetricV31 []CVSSV31 `json:"cvssMetricV31,omitempty" mapstructure:"cvssMetricV31,omitempty" yaml:"cvssMetricV31,omitempty"`
+	CVSSMetricV31 []BaseCVSSNVD `json:"cvssMetricV31,omitempty" mapstructure:"cvssMetricV31,omitempty" yaml:"cvssMetricV31,omitempty"`
+
+	// CVSS V4 score
+	CVSSMetricV40 []BaseCVSSNVD `json:"cvssMetricV40,omitempty" mapstructure:"cvssMetricV40,omitempty" yaml:"cvssMetricV40,omitempty"`
 }
 
 type Reference struct {

vulnfeeds/vulns/vulns.go

@@ -308,7 +308,12 @@ func (v *Vulnerability) AddPkgInfo(pkgInfo PackageInfo) {
 func getBestSeverity(metricsData *cves.CVEItemMetrics) (string, osvschema.SeverityType) {
 	// Define search passes. First pass for "Primary", second for any.
 	for _, primaryOnly := range []bool{true, false} {
-		// Inside each pass, prioritize v3.1 over v3.0.
+		// Inside each pass, prioritize v4.0 over v3.1 over v3.0.
+		for _, metric := range metricsData.CVSSMetricV40 {
+			if (!primaryOnly || metric.Type == "Primary") && metric.CVSSData.VectorString != "" {
+				return metric.CVSSData.VectorString, osvschema.SeverityCVSSV4
+			}
+		}
 		for _, metric := range metricsData.CVSSMetricV31 {
 			if (!primaryOnly || metric.Type == "Primary") && metric.CVSSData.VectorString != "" {
 				return metric.CVSSData.VectorString, osvschema.SeverityCVSSV3