Merge pull request #324 from nicholasks/feature/premium-insecure-db

Provide CVSS information when available.

Author: rafaelpivato

HISTORY.rst

@@ -2,7 +2,12 @@
 History
 =======
 
-1.10.1 (2020-12-03)
+1.10.2 (master)
+-------------------
+
+* Provide CVSS scores on full report, when available
+
+1.10.1 (2021-01-03)
 -------------------
 
 * Reduced Docker image and Binary size

README.md

@@ -250,7 +250,7 @@ ___
 
 ### `--full-report`
 
-*Full reports include a security advisory (if available).*
+*Full reports include a security advisory and CVSS scores (if available).*
 
 **Example**
 ```bash
@@ -277,6 +277,8 @@ safety check --full-report
 +============================+===========+==========================+==========+
 | package                    | installed | affected                 | ID       |
 +============================+===========+==========================+==========+
+| CVSS v2 | BASE SCORE: 6.5 | IMPACT SCORE: 6.4                                |
++============================+===========+==========================+==========+
 | django                     | 1.2       | <1.2.2                   | 25701    |
 +==============================================================================+
 | Cross-site scripting (XSS) vulnerability in Django 1.2.x before 1.2.2 allows |

safety/formatter.py

@@ -109,6 +109,32 @@ def render(vulns, full, checked_packages, used_db):
                 if full:
                     table.append(SheetReport.REPORT_SECTION)
 
+                    if vuln.cvssv2 is not None:
+                        base_score = vuln.cvssv2.get("base_score", "None")
+                        impact_score = vuln.cvssv2.get("impact_score", "None")
+
+                        table.append("| {:76} |".format(
+                            "CVSS v2 | BASE SCORE: {} | IMPACT SCORE: {}".format(
+                                base_score,
+                                impact_score,
+                            )
+                        ))
+                        table.append(SheetReport.REPORT_SECTION)
+
+                    if vuln.cvssv3 is not None:
+                        base_score = vuln.cvssv3.get("base_score", "None")
+                        impact_score = vuln.cvssv3.get("impact_score", "None")
+                        base_severity = vuln.cvssv3.get("base_severity", "None")
+
+                        table.append("| {:76} |".format(
+                            "CVSS v3 | BASE SCORE: {} | IMPACT SCORE: {} | BASE SEVERITY: {}".format(
+                                base_score,
+                                impact_score,
+                                base_severity,
+                            )
+                        ))
+                        table.append(SheetReport.REPORT_SECTION)
+
                     descr = get_advisory(vuln)
 
                     for pn, paragraph in enumerate(descr.replace('\r', '').split('\n\n')):
@@ -203,6 +229,26 @@ def render(vulns, full, checked_packages, used_db):
                     vuln.vuln_id
                 ))
                 if full:
+                    if vuln.cvssv2 is not None:
+                        base_score = vuln.cvssv2.get("base_score", "None")
+                        impact_score = vuln.cvssv2.get("impact_score", "None")
+
+                        table.append("CVSS v2 -- BASE SCORE: {}, IMPACT SCORE: {}".format(
+                            base_score,
+                            impact_score,
+                        ))
+
+                    if vuln.cvssv3 is not None:
+                        base_score = vuln.cvssv3.get("base_score", "None")
+                        impact_score = vuln.cvssv3.get("impact_score", "None")
+                        base_severity = vuln.cvssv3.get("base_severity", "None")
+
+                        table.append("CVSS v3 -- BASE SCORE: {}, IMPACT SCORE: {}, BASE SEVERITY: {}".format(
+                            base_score,
+                            impact_score,
+                            base_severity,
+                        ))
+
                     table.append(get_advisory(vuln))
                     table.append("--")
         else:

safety/safety.py

@@ -16,7 +16,7 @@
 
 
 class Vulnerability(namedtuple("Vulnerability",
-                               ["name", "spec", "version", "advisory", "vuln_id"])):
+                               ["name", "spec", "version", "advisory", "vuln_id", "cvssv2", "cvssv3"])):
     pass
 
 
@@ -157,14 +157,20 @@ def check(packages, key, db_mirror, cached, ignore_ids, proxy):
                         db_full = fetch_database(full=True, key=key, db=db_mirror, cached=cached, proxy=proxy)
                     for data in get_vulnerabilities(pkg=name, spec=specifier, db=db_full):
                         vuln_id = data.get("id").replace("pyup.io-", "")
+                        cve_id = data.get("cve")
+                        if cve_id:
+                            cve_id = cve_id.split(",")[0].strip()
                         if vuln_id and vuln_id not in ignore_ids:
+                            cve_meta = db_full.get("$meta", {}).get("cve", {}).get(cve_id, {})
                             vulnerable.append(
                                 Vulnerability(
                                     name=name,
                                     spec=specifier,
                                     version=pkg.version,
                                     advisory=data.get("advisory"),
-                                    vuln_id=vuln_id
+                                    vuln_id=vuln_id,
+                                    cvssv2=cve_meta.get("cvssv2", None),
+                                    cvssv3=cve_meta.get("cvssv3", None),
                                 )
                             )
     return vulnerable
@@ -179,6 +185,8 @@ def review(vulnerabilities):
             "version": vuln[2],
             "advisory": vuln[3],
             "vuln_id": vuln[4],
+            "cvssv2": None,
+            "cvssv3": None
         }
         vulnerable.append(
             Vulnerability(**current_vuln)

tests/test_safety.py

@@ -121,6 +121,8 @@ def test_full_report(self):
                          + ' blah' * 15 + '.\r\n\r\n'
                          + 'All users are urged to upgrade please.\r\n',
                 vuln_id=1234,
+                cvssv2=None,
+                cvssv3=None,
             ),
         ]
         full_report = formatter.SheetReport.render(