fix: add severity score to Alpine vulns (#4043)

(based on NVD data)

Author: jess-lowe

vulnfeeds/cmd/alpine/Dockerfile

@@ -22,13 +22,13 @@ COPY ./go.sum /src/go.sum
 RUN go mod download
 
 COPY ./ /src/
-RUN go build -o alpine ./cmd/alpine/
+RUN go build -o alpine-osv ./cmd/alpine/
 
 
 FROM gcr.io/google.com/cloudsdktool/google-cloud-cli:alpine@sha256:cdac858d976cb0e6bfdc3288fee5a0a7bf6348a009089be130b2009e28463c52
 
 WORKDIR /root/
-COPY --from=GO_BUILD /src/alpine ./
+COPY --from=GO_BUILD /src/alpine-osv ./
 COPY ./cmd/alpine/run_alpine_convert.sh ./
 
 ENTRYPOINT ["/root/run_alpine_convert.sh"]

vulnfeeds/cmd/alpine/main.go

@@ -220,6 +220,7 @@ func generateAlpineOSV(allAlpineSecDb map[string][]VersionAndPkg, allCVEs map[cv
 			logger.Warn(fmt.Sprintf("Skipping %s as no affected versions found.", v.ID), slog.String("cveID", cveID))
 			continue
 		}
+		v.AddSeverity(cve.CVE.Metrics)
 		osvVulnerabilities = append(osvVulnerabilities, v)
 	}
 

vulnfeeds/cmd/alpine/run_alpine_convert.sh

@@ -23,5 +23,5 @@ echo "Begin syncing NVD data from GCS bucket ${INPUT_BUCKET}"
 gcloud --no-user-output-enabled storage -q cp "gs://${INPUT_BUCKET}/nvd/*-????.json" "${CVE_OUTPUT}"
 echo "Successfully synced from GCS bucket"
 
-./alpine -output_bucket "$OUTPUT_BUCKET" -output_path "$OSV_OUTPUT_PATH" -num_workers "$WORKERS" -uploadToGCS
+./alpine-osv -output_bucket "$OUTPUT_BUCKET" -output_path "$OSV_OUTPUT_PATH" -num_workers "$WORKERS" -uploadToGCS
 echo "Successfully converted and uploaded to cloud"