feat(nvd): support CVSS v4.0 (#393)

db/rdb.go

@@ -150,6 +150,7 @@ func (r *RDBDriver) MigrateDB() error {
 		&models.NvdDescription{},
 		&models.NvdCvss2Extra{},
 		&models.NvdCvss3{},
+		&models.NvdCvss40{},
 		&models.NvdCwe{},
 		&models.NvdCpe{},
 		&models.NvdEnvCpe{},
@@ -302,6 +303,7 @@ func (r *RDBDriver) Get(cveID string) (*models.CveDetail, error) {
 		Preload("Descriptions").
 		Preload("Cvss2").
 		Preload("Cvss3").
+		Preload("Cvss40").
 		Preload("Cwes").
 		Preload("Cpes").
 		Preload("References").
@@ -718,7 +720,7 @@ func (r *RDBDriver) InsertNvd(years []string) (err error) {
 }
 
 func deleteNvd(tx *gorm.DB) error {
-	for _, table := range []interface{}{models.Nvd{}, models.NvdDescription{}, models.NvdCvss2Extra{}, models.NvdCvss3{}, models.NvdCwe{}, models.NvdCpe{}, models.NvdEnvCpe{}, models.NvdReference{}, models.NvdCert{}} {
+	for _, table := range []interface{}{models.Nvd{}, models.NvdDescription{}, models.NvdCvss2Extra{}, models.NvdCvss3{}, models.NvdCvss40{}, models.NvdCwe{}, models.NvdCpe{}, models.NvdEnvCpe{}, models.NvdReference{}, models.NvdCert{}} {
 		if err := tx.Session(&gorm.Session{AllowGlobalUpdate: true}).Delete(table).Error; err != nil {
 			return xerrors.Errorf("Failed to delete old records. err: %w", err)
 		}

fetcher/nvd/nvd.go

@@ -373,6 +373,22 @@ func convertToModel(cvePath string) (*models.Nvd, error) {
 			},
 		})
 	}
+	c40 := make([]models.NvdCvss40, 0, len(item.Metrics.CVSSMetricV40))
+	for _, v40 := range item.Metrics.CVSSMetricV40 {
+		c40 = append(c40, models.NvdCvss40{
+			Source: v40.Source,
+			Type:   v40.Type,
+			Cvss40: models.Cvss40{
+				VectorString:          v40.CVSSData.VectorString,
+				BaseScore:             v40.CVSSData.BaseScore,
+				BaseSeverity:          v40.CVSSData.BaseSeverity,
+				ThreatScore:           v40.CVSSData.ThreatScore,
+				ThreatSeverity:        v40.CVSSData.ThreatSeverity,
+				EnvironmentalScore:    v40.CVSSData.EnvironmentalScore,
+				EnvironmentalSeverity: v40.CVSSData.EnvironmentalSeverity,
+			},
+		})
+	}
 
 	publish, err := parseNvdTime(item.Published)
 	if err != nil {
@@ -388,6 +404,7 @@ func convertToModel(cvePath string) (*models.Nvd, error) {
 		Descriptions:     descs,
 		Cvss2:            c2,
 		Cvss3:            c3,
+		Cvss40:           c40,
 		Cwes:             cwes,
 		Cpes:             cpes,
 		References:       refs,

fetcher/nvd/types.go

@@ -133,6 +133,52 @@ type cve struct {
 			ExploitabilityScore *float64 `json:"exploitabilityScore,omitempty"`
 			ImpactScore         *float64 `json:"impactScore,omitempty"`
 		} `json:"cvssMetricV31,omitempty"`
+		CVSSMetricV40 []struct {
+			Source   string `json:"source"`
+			Type     string `json:"type"`
+			CVSSData struct {
+				Version                                 string   `json:"version"`
+				VectorString                            string   `json:"vectorString"`
+				BaseScore                               float64  `json:"baseScore"`
+				BaseSeverity                            string   `json:"baseSeverity"`
+				AttackVector                            *string  `json:"attackVector,omitempty"`
+				AttackComplexity                        *string  `json:"attackComplexity,omitempty"`
+				AttackRequirements                      *string  `json:"attackRequirements,omitempty"`
+				PrivilegesRequired                      *string  `json:"privilegesRequired,omitempty"`
+				UserInteraction                         *string  `json:"userInteraction,omitempty"`
+				VulnerableSystemConfidentiality         *string  `json:"vulnerableSystemConfidentiality,omitempty"` // schema property: vulnConfidentialityImpact
+				VulnerableSystemIntegrity               *string  `json:"vulnerableSystemIntegrity,omitempty"`       // schema property: vulnIntegrityImpact
+				VulnerableSystemAvailability            *string  `json:"vulnerableSystemAvailability,omitempty"`    // schema property: vulnAvailabilityImpact
+				SubsequentSystemConfidentiality         *string  `json:"subsequentSystemConfidentiality,omitempty"` // schema property: subConfidentialityImpact
+				SubsequentSystemIntegrity               *string  `json:"subsequentSystemIntegrity,omitempty"`       // schema property: subIntegrityImpact
+				SubsequentSystemAvailability            *string  `json:"subsequentSystemAvailability,omitempty"`    // schema property: subAvailabilityImpact
+				ExploitMaturity                         *string  `json:"exploitMaturity,omitempty"`
+				ConfidentialityRequirement              *string  `json:"confidentialityRequirements,omitempty"`
+				IntegrityRequirement                    *string  `json:"integrityRequirements,omitempty"`
+				AvailabilityRequirement                 *string  `json:"availabilityRequirements,omitempty"`
+				ModifiedAttackVector                    *string  `json:"modifiedAttackVector,omitempty"`
+				ModifiedAttackComplexity                *string  `json:"modifiedAttackComplexity,omitempty"`
+				ModifiedAttackRequirements              *string  `json:"modifiedAttackRequirements,omitempty"`
+				ModifiedPrivilegesRequired              *string  `json:"modifiedPrivilegesRequired,omitempty"`
+				ModifiedUserInteraction                 *string  `json:"modifiedUserInteraction,omitempty"`
+				ModifiedVulnerableSystemConfidentiality *string  `json:"modifiedVulnerableSystemConfidentiality,omitempty"` // schema property: modifiedVulnConfidentialityImpact
+				ModifiedVulnerableSystemIntegrity       *string  `json:"modifiedVulnerableSystemIntegrity,omitempty"`       // schema property: modifiedVulnIntegrityImpact
+				ModifiedVulnerableSystemAvailability    *string  `json:"modifiedVulnerableSystemAvailability,omitempty"`    // schema property: modifiedVulnAvailabilityImpact
+				ModifiedSubsequentSystemConfidentiality *string  `json:"modifiedSubsequentSystemConfidentiality,omitempty"` // schema property: modifiedSubConfidentialityImpact
+				ModifiedSubsequentSystemIntegrity       *string  `json:"modifiedSubsequentSystemIntegrity,omitempty"`       // schema property: modifiedSubIntegrityImpact
+				ModifiedSubsequentSystemAvailability    *string  `json:"modifiedSubsequentSystemAvailability,omitempty"`    // schema property: modifiedSubAvailabilityImpact
+				Safety                                  *string  `json:"safety,omitempty"`                                  // schema property: Safety
+				Automatable                             *string  `json:"automatable,omitempty"`                             // schema property: Automatable
+				ProviderUrgency                         *string  `json:"providerUrgency,omitempty"`
+				Recovery                                *string  `json:"recovery,omitempty"` // schema property: Recovery
+				ValueDensity                            *string  `json:"valueDensity,omitempty"`
+				VulnerabilityResponseEffort             *string  `json:"vulnerabilityResponseEffort,omitempty"`
+				ThreatScore                             *float64 `json:"threatScore,omitempty"`
+				ThreatSeverity                          *string  `json:"threatSeverity,omitempty"`
+				EnvironmentalScore                      *float64 `json:"environmentalScore,omitempty"`
+				EnvironmentalSeverity                   *string  `json:"environmentalSeverity,omitempty"`
+			} `json:"cvssData"`
+		} `json:"cvssMetricV40,omitempty"`
 	} `json:"metrics,omitempty"`
 	Weaknesses []struct {
 		Source      string `json:"source"`

models/models.go

@@ -176,6 +176,7 @@ type Nvd struct {
 	Descriptions     []NvdDescription
 	Cvss2            []NvdCvss2Extra
 	Cvss3            []NvdCvss3
+	Cvss40           []NvdCvss40
 	Cwes             []NvdCwe
 	Cpes             []NvdCpe
 	References       []NvdReference
@@ -218,6 +219,15 @@ type NvdCvss3 struct {
 	Cvss3  `gorm:"embedded"`
 }
 
+// NvdCvss40 has Nvd CVSS40 info
+type NvdCvss40 struct {
+	ID     int64  `json:"-"`
+	NvdID  uint   `json:"-" gorm:"index:idx_nvd_cvss40_nvd_id"`
+	Source string `gorm:"type:text"`
+	Type   string `gorm:"type:varchar(255)"`
+	Cvss40 `gorm:"embedded"`
+}
+
 // NvdCwe has CweID
 type NvdCwe struct {
 	ID     int64  `json:"-"`