feat: implement osv vector parsing

Signed-off-by: Dejan Bosanac <dbosanac@redhat.com>

Author: dejanb

Cargo.lock

@@ -13,7 +13,7 @@ pub struct Model {
 
     pub r#type: ScoreType,
     pub vector: String,
-    pub score: f64,
+    pub score: f32,
     pub severity: Severity,
 }
 

entity/src/advisory_vulnerability_score.rs

@@ -1,6 +1,7 @@
 use cvss::version::VersionV3;
 use cvss::{Cvss, v2_0, v3, v4_0};
 use sea_orm::{ColumnTrait, ConnectionTrait, DbErr, EntityTrait, QueryFilter, Set};
+use trustify_cvss::cvss3::severity::Severity as CvssSeverity;
 use trustify_entity::advisory_vulnerability_score::{self, ScoreType, Severity};
 use uuid::Uuid;
 
@@ -16,7 +17,7 @@ pub struct ScoreInformation {
     pub vulnerability_id: String,
     pub r#type: ScoreType,
     pub vector: String,
-    pub score: f64,
+    pub score: f32,
     pub severity: Severity,
 }
 
@@ -42,68 +43,72 @@ impl From<ScoreInformation> for advisory_vulnerability_score::ActiveModel {
 }
 
 impl From<(String, v2_0::CvssV2)> for ScoreInformation {
-    fn from((vulnerability_id, score): (String, v2_0::CvssV2)) -> Self {
-        let v2_0::CvssV2 {
-            vector_string,
-            severity,
-            base_score,
-            ..
-        } = score;
+    fn from((vulnerability_id, cvss): (String, v2_0::CvssV2)) -> Self {
+        // Use calculated_base_score() to compute the actual score from metrics
+        let base_score = cvss.calculated_base_score().unwrap_or(0.0);
+        // Derive severity from calculated score using CVSS v2 scale (no "None" or "Critical")
+        let severity = match base_score {
+            x if x < 4.0 => Severity::Low,
+            x if x < 7.0 => Severity::Medium,
+            _ => Severity::High,
+        };
 
         Self {
             vulnerability_id,
             r#type: ScoreType::V2_0,
-            vector: vector_string,
-            score: base_score,
-            severity: match severity {
-                None => Severity::None,
-                Some(v2_0::Severity::Low) => Severity::Low,
-                Some(v2_0::Severity::Medium) => Severity::Medium,
-                Some(v2_0::Severity::High) => Severity::High,
-            },
+            vector: cvss.vector_string,
+            score: base_score as f32,
+            severity,
         }
     }
 }
 
 impl From<(String, v3::CvssV3)> for ScoreInformation {
-    fn from((vulnerability_id, score): (String, v3::CvssV3)) -> Self {
-        let v3::CvssV3 {
-            version,
-            vector_string,
-            base_severity,
-            base_score,
-            ..
-        } = score;
+    fn from((vulnerability_id, cvss): (String, v3::CvssV3)) -> Self {
+        // Use calculated_base_score() to compute the actual score from metrics
+        let base_score = cvss.calculated_base_score().unwrap_or(0.0);
+        // Derive severity from calculated score using CVSS v3 scale
+        let severity = match CvssSeverity::from_f64(base_score) {
+            CvssSeverity::None => Severity::None,
+            CvssSeverity::Low => Severity::Low,
+            CvssSeverity::Medium => Severity::Medium,
+            CvssSeverity::High => Severity::High,
+            CvssSeverity::Critical => Severity::Critical,
+        };
 
         Self {
             vulnerability_id,
-            r#type: match version {
+            r#type: match cvss.version {
                 Some(VersionV3::V3_0) => ScoreType::V3_0,
                 Some(VersionV3::V3_1) => ScoreType::V3_1,
                 None => ScoreType::V3_0, // Default to V3_0 if version is not specified
             },
-            vector: vector_string,
-            score: base_score,
-            severity: base_severity.into(),
+            vector: cvss.vector_string,
+            score: base_score as f32,
+            severity,
         }
     }
 }
 
 impl From<(String, v4_0::CvssV4)> for ScoreInformation {
-    fn from((vulnerability_id, score): (String, v4_0::CvssV4)) -> Self {
-        let v4_0::CvssV4 {
-            vector_string,
-            base_severity,
-            base_score,
-            ..
-        } = score;
+    fn from((vulnerability_id, cvss): (String, v4_0::CvssV4)) -> Self {
+        // Use calculated_base_score() to compute the actual score from metrics
+        let base_score = cvss.calculated_base_score().unwrap_or(0.0);
+        // Derive severity from calculated score using CVSS v4 scale (same as v3)
+        let severity = match CvssSeverity::from_f64(base_score) {
+            CvssSeverity::None => Severity::None,
+            CvssSeverity::Low => Severity::Low,
+            CvssSeverity::Medium => Severity::Medium,
+            CvssSeverity::High => Severity::High,
+            CvssSeverity::Critical => Severity::Critical,
+        };
 
         Self {
             vulnerability_id,
             r#type: ScoreType::V4_0,
-            vector: vector_string,
-            score: base_score,
-            severity: base_severity.into(),
+            vector: cvss.vector_string,
+            score: base_score as f32,
+            severity,
         }
     }
 }

modules/ingestor/src/graph/cvss.rs

@@ -579,8 +579,10 @@ mod test {
     use hex::ToHex;
     use osv::schema::Vulnerability;
     use rstest::rstest;
+    use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
     use test_context::test_context;
     use test_log::test;
+    use trustify_entity::advisory_vulnerability_score;
     use trustify_test_context::{TrustifyContext, document};
 
     #[test_context(TrustifyContext)]
@@ -642,6 +644,35 @@ mod test {
                 .is_none()
         );
 
+        // Verify the advisory_vulnerability_score table has the calculated score
+        let new_scores = advisory_vulnerability_score::Entity::find()
+            .filter(
+                advisory_vulnerability_score::Column::AdvisoryId.eq(loaded_advisory.advisory.id),
+            )
+            .all(&ctx.db)
+            .await?;
+        assert_eq!(1, new_scores.len());
+        let new_score = &new_scores[0];
+        assert_eq!(new_score.vulnerability_id, "CVE-2021-32714");
+        assert_eq!(
+            new_score.r#type,
+            advisory_vulnerability_score::ScoreType::V3_1
+        );
+        assert_eq!(
+            new_score.vector,
+            "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
+        );
+        // Score should be 9.1 (calculated from the CVSS vector metrics)
+        assert!(
+            (new_score.score - 9.1_f32).abs() < 0.1,
+            "Expected score ~9.1, got {}",
+            new_score.score
+        );
+        assert_eq!(
+            new_score.severity,
+            advisory_vulnerability_score::Severity::Critical
+        );
+
         Ok(())
     }
 

modules/ingestor/src/service/advisory/osv/loader.rs

@@ -3,12 +3,10 @@ mod prefix;
 pub mod loader;
 pub mod translate;
 
-use crate::{
-    graph::cvss::{ScoreCreator, ScoreInformation},
-    service::Error,
-};
+use crate::{graph::cvss::ScoreCreator, service::Error};
+use cvss::{v2_0::CvssV2, v3::CvssV3, v4_0::CvssV4};
 use osv::schema::{SeverityType, Vulnerability};
-use trustify_entity::advisory_vulnerability_score::{ScoreType, Severity};
+use std::str::FromStr;
 
 /// Load a [`Vulnerability`] from YAML, using the "classic" enum representation.
 pub fn from_yaml(data: &[u8]) -> Result<Vulnerability, serde_yml::Error> {
@@ -49,78 +47,65 @@ pub fn extract_vulnerability_ids(osv: &Vulnerability) -> impl IntoIterator<Item
 
 /// extract scores from OSV
 pub fn extract_scores(osv: &Vulnerability, creator: &mut ScoreCreator) {
-    #[derive(Clone)]
-    struct ScoreInfo {
-        pub r#type: ScoreType,
-        pub vector: String,
-        pub score: f64,
-        pub severity: Severity,
+    // Get all vulnerability IDs upfront
+    let ids: Vec<_> = extract_vulnerability_ids(osv).into_iter().collect();
+
+    // If no vulnerability IDs, nothing to do
+    if ids.is_empty() {
+        return;
     }
 
-    impl From<(String, ScoreInfo)> for ScoreInformation {
-        fn from(
-            (
-                vulnerability_id,
-                ScoreInfo {
-                    r#type,
-                    vector,
-                    score,
-                    severity,
-                },
-            ): (String, ScoreInfo),
-        ) -> Self {
-            Self {
-                vulnerability_id,
-                r#type,
-                vector,
-                score,
-                severity,
+    // Process each severity entry
+    for severity in osv.severity.iter().flatten() {
+        match severity.severity_type {
+            SeverityType::CVSSv2 => match CvssV2::from_str(&severity.score) {
+                Ok(cvss) => {
+                    for id in &ids {
+                        creator.add((id.to_string(), cvss.clone()));
+                    }
+                }
+                Err(e) => {
+                    log::warn!(
+                        "Failed to parse CVSSv2 vector '{}': {:?}",
+                        severity.score,
+                        e
+                    );
+                }
+            },
+
+            SeverityType::CVSSv3 => match CvssV3::from_str(&severity.score) {
+                Ok(cvss) => {
+                    for id in &ids {
+                        creator.add((id.to_string(), cvss.clone()));
+                    }
+                }
+                Err(e) => {
+                    log::warn!(
+                        "Failed to parse CVSSv3 vector '{}': {:?}",
+                        severity.score,
+                        e
+                    );
+                }
+            },
+
+            SeverityType::CVSSv4 => match CvssV4::from_str(&severity.score) {
+                Ok(cvss) => {
+                    for id in &ids {
+                        creator.add((id.to_string(), cvss.clone()));
+                    }
+                }
+                Err(e) => {
+                    log::warn!(
+                        "Failed to parse CVSSv4 vector '{}': {:?}",
+                        severity.score,
+                        e
+                    );
+                }
+            },
+
+            _ => {
+                // Unknown severity type, skip
             }
         }
     }
-
-    // TODO: validate score type by prefix
-    let scores = osv
-        .severity
-        .iter()
-        .flatten()
-        .flat_map(|severity| match severity.severity_type {
-            SeverityType::CVSSv2 => Some(ScoreInfo {
-                r#type: ScoreType::V2_0,
-                vector: severity.score.clone(),
-                score: 10f64, // TODO: replace with actual evaluated score
-                severity: Severity::Critical, // TODO: replace with actual evaluated severity
-            }),
-            SeverityType::CVSSv3 => Some(ScoreInfo {
-                r#type: match severity.score.starts_with("CVSS:3.1/") {
-                    true => ScoreType::V3_1,
-                    false => ScoreType::V3_0,
-                },
-                vector: severity.score.clone(),
-                score: 10f64, // TODO: replace with actual evaluated score
-                severity: Severity::Critical, // TODO: replace with actual evaluated severity
-            }),
-            SeverityType::CVSSv4 => Some(ScoreInfo {
-                r#type: ScoreType::V4_0,
-                vector: severity.score.clone(),
-                score: 10f64, // TODO: replace with actual evaluated score
-                severity: Severity::Critical, // TODO: replace with actual evaluated severity
-            }),
-
-            _ => None,
-        });
-
-    // get all vulnerability IDs
-
-    let ids = extract_vulnerability_ids(osv)
-        .into_iter()
-        .collect::<Vec<_>>();
-
-    // create scores for each vulnerability (alias)
-
-    creator.extend(
-        scores
-            .into_iter()
-            .flat_map(|score| ids.iter().map(move |id| (id.to_string(), score.clone()))),
-    );
 }