feat: Support Additional Metadata + CVSS Score Logic Update

[Hacks4Snacks]

Description

This PR introduces two changes:

• Support for SeveritySource and DataSource as optional fields in the report data.
• Updated logic for determining the "score" value.

The previous GetScoreFromCVSS logic consisted of:
• check if “nvd” exists in the CVSS map and returns its score if found.
• If “nvd” is not found, it returns the first vendor score found in the map.
Returning the first vendor score in the map could lead to discrepancies between the severity and the CVSS score value.

The updated GetScoreFromCVSS logic includes:
• Takes severitySource and preferredSources as additional parameters.
• Returns the CVSS score from severitySource (vendor) if it exists.
• If severitySource (vendor) does not exist in the map, it looks for scores in the order of preferredSources. The order of preferredSources is derived from https://github.com/aquasecurity/trivy-db/blob/d23a6ca8ba04f8acaeac9b1d2e1c52c5242b2814/pkg/vulnsrc/vulnerability/vulnerability.go#L17

Before:
{
"fixedVersion": "1.33.0",
"installedVersion": "v1.31.0",
"lastModifiedDate": "2024-06-10T18:15:26Z",
"links": [],
"primaryLink": "https://avd.aquasec.com/nvd/cve-2024-24786",
"publishedDate": "2024-03-05T23:15:07Z",
"resource": "google.golang.org/protobuf",
"score": 5.9,
"severity": "MEDIUM",
"target": "",
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"vulnerabilityID": "CVE-2024-24786"
},

After:
{
"dataSource": {
"id": "ghsa",
"name": "GitHub Security Advisory Go",
"url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
},
"fixedVersion": "1.33.0",
"installedVersion": "v1.31.0",
"lastModifiedDate": "2024-06-10T18:15:26Z",
"links": [],
"primaryLink": "https://avd.aquasec.com/nvd/cve-2024-24786",
"publishedDate": "2024-03-05T23:15:07Z",
"resource": "google.golang.org/protobuf",
"score": 5.9,
"severity": "MEDIUM",
"severitySource": "ghsa",
"target": "",
"title": "golang-protobuf: encoding/protojson, internal/encoding/json: infinite loop in protojson.Unmarshal when unmarshaling certain forms of invalid JSON",
"vulnerabilityID": "CVE-2024-24786"
},

Related issues

• N/A

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[CLAassistant]

All committers have signed the CLA.

[kersten]

@Hacks4Snacks Seems to look like it will this solve my irritation about score and severity which I questioned here 👍🏻 https://aquasecurity.slack.com/archives/C02KVB6AED9/p1717779723156139

[Hacks4Snacks]

@Hacks4Snacks Seems to look like it will this solve my irritation about score and severity which I questioned here 👍🏻 https://aquasecurity.slack.com/archives/C02KVB6AED9/p1717779723156139

Awesome! Just took a look at the linked thread and that is exactly what I'm targeting with this fix.

[github-actions]

This PR is stale because it has been labeled with inactivity.

[kersten]

@Hacks4Snacks why did you close this?

[Hacks4Snacks]

@Hacks4Snacks why did you close this?

Hey @kersten I appreciate the ping, this was inadvertent. I will be raising again.