Add a flag for removing the cvss data from the output. (#183)

When dumping GHSA for Malware these values are all "0" and don't make sense. --------- Signed-off-by: Caleb Brown <calebbrown@google.com>
ossf · Jul 25, 2023 · c2daa75 · c2daa75
1 parent 1ee624f
commit c2daa75
Show file tree

Hide file tree

Showing 13 changed files with 3 additions and 52 deletions.
diff --git a/tools/ghsa/convert_ghsa.py b/tools/ghsa/convert_ghsa.py
@@ -113,6 +113,7 @@ def convert_file(input_path: str, output_path: str):
 
     entry = convert(ghsa)
     vuln = osv.parse_vulnerability_from_dict(entry)
+
     osv.analyze(vuln,
                 analyze_git=False,
                 detect_cherrypicks=False,
@@ -176,7 +177,6 @@ def get_affected(ghsa: Dict[str, Any]) -> List[Dict[str, Any]]:
         package_to_vulns.setdefault((mapped_ecosystem, package['name']),
                                     []).append(vuln)
 
-    cvss = ghsa.get('cvss', {})
     cwes = ghsa.get('cwes', {}).get('nodes', [])
 
     # Convert the grouped vulnerabilities in OSV range structures.
@@ -195,9 +195,8 @@ def get_affected(ghsa: Dict[str, Any]) -> List[Dict[str, Any]]:
             'database_specific': {
                 # Attribution.
                 'ghsa': ghsa['permalink'],
-                'cvss': cvss,
                 'cwes': cwes,
-            }
+            },
         }
         affected.append(current)
 
@@ -284,6 +283,7 @@ def main():
                         required=True)
 
     args = parser.parse_args()
+
     for input_path in args.input_files:
         try:
             convert_file(

diff --git a/tools/ghsa/convert_ghsa_test.py b/tools/ghsa/convert_ghsa_test.py
@@ -21,7 +21,6 @@
 
 TEST_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'testdata')
 
-
 class ConverterTest(unittest.TestCase):
     """Converter unit tests."""
 

diff --git a/tools/ghsa/testdata/equals_no_patch.osv.json b/tools/ghsa/testdata/equals_no_patch.osv.json
@@ -30,10 +30,6 @@
       ],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-4g4c-8gqh-m4vm",
-        "cvss": {
-          "score": 9.8,
-          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-        },
         "cwes": [
           {
             "cweId": "CWE-829",

diff --git a/tools/ghsa/testdata/equals_with_patch.osv.json b/tools/ghsa/testdata/equals_with_patch.osv.json
@@ -46,10 +46,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-fhjf-83wg-r2j9",
-        "cvss": {
-          "score": 9.8,
-          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
-        },
         "cwes": [
           {
             "cweId": "CWE-88",

diff --git a/tools/ghsa/testdata/full_ranges.osv.json b/tools/ghsa/testdata/full_ranges.osv.json
@@ -40,10 +40,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-mr95-9rr4-668f",
-        "cvss": {
-          "score": 9.1,
-          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
-        },
         "cwes": [
           {
             "cweId": "CWE-338",
@@ -74,10 +70,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-mr95-9rr4-668f",
-        "cvss": {
-          "score": 9.1,
-          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
-        },
         "cwes": [
           {
             "cweId": "CWE-338",

diff --git a/tools/ghsa/testdata/greater_than_equals_no_patch.osv.json b/tools/ghsa/testdata/greater_than_equals_no_patch.osv.json
@@ -35,10 +35,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-pxmp-fwjc-4x7q",
-        "cvss": {
-          "score": 0,
-          "vectorString": null
-        },
         "cwes": []
       }
     }

diff --git a/tools/ghsa/testdata/less_than_equals_no_patch.osv.json b/tools/ghsa/testdata/less_than_equals_no_patch.osv.json
@@ -37,10 +37,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-jvf4-g24p-2qgw",
-        "cvss": {
-          "score": 8.3,
-          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L"
-        },
         "cwes": [
           {
             "cweId": "CWE-94",

diff --git a/tools/ghsa/testdata/less_than_equals_with_patch.osv.json b/tools/ghsa/testdata/less_than_equals_with_patch.osv.json
@@ -40,10 +40,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-f89g-whpf-6q9m",
-        "cvss": {
-          "score": 0,
-          "vectorString": null
-        },
         "cwes": [
           {
             "cweId": "CWE-79",

diff --git a/tools/ghsa/testdata/maven_greater_than.osv.json b/tools/ghsa/testdata/maven_greater_than.osv.json
@@ -56,10 +56,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-76mp-659p-rw65",
-        "cvss": {
-          "score": 8.8,
-          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
-        },
         "cwes": [
           {
             "cweId": "CWE-285",

diff --git a/tools/ghsa/testdata/multiple_ranges_in_package.osv.json b/tools/ghsa/testdata/multiple_ranges_in_package.osv.json
@@ -46,10 +46,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-9qj7-jvg4-qr2x",
-        "cvss": {
-          "score": 0,
-          "vectorString": null
-        },
         "cwes": []
       }
     }

diff --git a/tools/ghsa/testdata/npm_greater_than.osv.json b/tools/ghsa/testdata/npm_greater_than.osv.json
@@ -40,10 +40,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-mhpp-875w-9cpv",
-        "cvss": {
-          "score": 7.5,
-          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
-        },
         "cwes": [
           {
             "cweId": "CWE-400",

diff --git a/tools/ghsa/testdata/pypi_normalize.osv.json b/tools/ghsa/testdata/pypi_normalize.osv.json
@@ -44,10 +44,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-p44j-xrqg-4xrr",
-        "cvss": {
-          "score": 0,
-          "vectorString": null
-        },
         "cwes": [
           {
             "cweId": "CWE-601",

diff --git a/tools/ghsa/testdata/withdrawn.osv.json b/tools/ghsa/testdata/withdrawn.osv.json
@@ -53,10 +53,6 @@
       "versions": [],
       "database_specific": {
         "ghsa": "https://github.com/advisories/GHSA-35c4-f3rq-f9g3",
-        "cvss": {
-          "score": 0,
-          "vectorString": null
-        },
         "cwes": []
       }
     }