fix(advisor): Map an incorrect vulnerability severity

For vulnerability references that come from GitHub advisories VulnerableCode returns the severity as qualitative rating [1] as it is provided by GitHub [2]. For "MEDIUM" severities GitHub uses the term "MODERATE" which is is conflict with the specification. Therefore, map "MODERATE" to "MEDIUM" in such cases. [1]: https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale [2]: aboutcode-org/vulnerablecode#1186 Signed-off-by: Martin Nonnenmacher <[email protected]>
oss-review-toolkit · Apr 24, 2023 · 0caf8f7 · 0caf8f7
1 parent 446de45
commit 0caf8f7
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/advisor/src/main/kotlin/advisors/VulnerableCode.kt b/advisor/src/main/kotlin/advisors/VulnerableCode.kt
@@ -126,7 +126,13 @@ class VulnerableCode(name: String, config: VulnerableCodeConfiguration) : Advice
     ): List<VulnerabilityReference> = runCatching {
         val sourceUri = URI(url)
         if (scores.isEmpty()) return listOf(VulnerabilityReference(sourceUri, null, null))
-        return scores.map { VulnerabilityReference(sourceUri, it.scoringSystem, it.value) }
+        return scores.map {
+            // VulnerableCode returns MODERATE instead of MEDIUM in case of cvssv3.1_qr, see:
+            // https://github.com/nexB/vulnerablecode/issues/1186
+            val severity = if (it.scoringSystem == "cvssv3.1_qr" && it.value == "MODERATE") "MEDIUM" else it.value
+
+            VulnerabilityReference(sourceUri, it.scoringSystem, severity)
+        }
     }.onFailure {
         issues += createAndLogIssue(providerName, "Failed to map $this to ORT model due to $it.", Severity.HINT)
     }.getOrElse { emptyList() }