vulnerability: Add CVSS Vectors to JSON output.

go.mod

@@ -5,7 +5,7 @@ go 1.13
 require (
 	github.com/aquasecurity/fanal v0.0.0-20200504143803-30a561989059
 	github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b
-	github.com/aquasecurity/trivy-db v0.0.0-20200430091154-7c0a6e1ad398
+	github.com/aquasecurity/trivy-db v0.0.0-20200430232549-8078bee954c5
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3

go.sum

@@ -48,8 +48,8 @@ github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b h1:55Ul
 github.com/aquasecurity/go-dep-parser v0.0.0-20190819075924-ea223f0ef24b/go.mod h1:BpNTD9vHfrejKsED9rx04ldM1WIbeyXGYxUrqTVwxVQ=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a h1:hsw7PpiymXP64evn/K7gsj3hWzMqLrdoeE6JkqDocVg=
 github.com/aquasecurity/testdocker v0.0.0-20200426142840-5f05bce6f12a/go.mod h1:psfu0MVaiTDLpNxCoNsTeILSKY2EICBwv345f3M+Ffs=
-github.com/aquasecurity/trivy-db v0.0.0-20200430091154-7c0a6e1ad398 h1:+13ICJ+UlP/1aHZixBv1EdhS+4kTdY0ASJOktnCUOfI=
-github.com/aquasecurity/trivy-db v0.0.0-20200430091154-7c0a6e1ad398/go.mod h1:8mrJtzlmPGWO1uVwPurDrybthyA/eZ7voMO9b54rdRw=
+github.com/aquasecurity/trivy-db v0.0.0-20200430232549-8078bee954c5 h1:wrOLskC6y+fr8nOeotV6tr5U1WP7gK/Kp5KRZ+OnsFc=
+github.com/aquasecurity/trivy-db v0.0.0-20200430232549-8078bee954c5/go.mod h1:ymdX+3QnN/A0EcduWNMMxkWsESHxCig9VIcqaTDAo6I=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2 h1:xbdUfr2KE4THsFx9CFWtWpU91lF+YhgP46moV94nYTA=
 github.com/aquasecurity/vuln-list-update v0.0.0-20191016075347-3d158c2bf9a2/go.mod h1:6NhOP0CjZJL27bZZcaHECtzWdwDDm2g6yCY0QgXEGQQ=
 github.com/araddon/dateparse v0.0.0-20190426192744-0d74ffceef83/go.mod h1:SLqhdZcd+dF3TEVL2RMoob5bBP5R1P1qkox+HtCBgGI=
@@ -141,6 +141,8 @@ github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/etcd-io/bbolt v1.3.3 h1:gSJmxrs37LgTqR/oyJBWok6k6SvXEUerFTbltIhXkBM=
+github.com/etcd-io/bbolt v1.3.3/go.mod h1:ZF2nL25h33cCyBtcyWeZ2/I3HQOfTP+0PIEvHjkjCrw=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/fatih/color v1.7.0 h1:DkWD4oS2D8LGGgTQ6IvwJJXSL5Vp2ffcQg58nFV38Ys=
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=

pkg/vulnerability/vulnerability_test.go

@@ -60,7 +60,7 @@ func TestClient_FillInfo(t *testing.T) {
 				vulns: []types.DetectedVulnerability{
 					{VulnerabilityID: "CVE-2019-0001"},
 				},
-				reportType: vulnerability.Ubuntu,
+				reportType: vulnerability.RedHat,
 			},
 			expectedVulnerabilities: []types.DetectedVulnerability{
 				{
@@ -146,7 +146,7 @@ func TestClient_FillInfo(t *testing.T) {
 			},
 		},
 		{
-			name: "happy path, with only OS vulnerability, yes vendor severity",
+			name: "happy path, with only OS vulnerability, yes vendor severity, with both NVD and vendor vectors",
 			getVulnerability: []db.GetVulnerabilityExpectation{
 				{
 					Args: db.GetVulnerabilityArgs{
@@ -160,6 +160,16 @@ func TestClient_FillInfo(t *testing.T) {
 							VendorSeverity: dbTypes.VendorSeverity{
 								vulnerability.RedHat: dbTypes.SeverityLow, // CentOS uses RedHat
 							},
+							VendorVectors: map[string]dbTypes.CVSSVector{
+								vulnerability.Nvd: map[string]string{
+									"v2": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+									"v3": "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								},
+								vulnerability.RedHat: map[string]string{
+									"v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+									"v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+								},
+							},
 							References: []string{"http://example.com"},
 						},
 					},
@@ -179,6 +189,16 @@ func TestClient_FillInfo(t *testing.T) {
 						Description: "dos vulnerability",
 						Severity:    dbTypes.SeverityLow.String(),
 						References:  []string{"http://example.com"},
+						VendorVectors: map[string]dbTypes.CVSSVector{
+							vulnerability.Nvd: map[string]string{
+								"v2": "(AV:N/AC:L/Au:N/C:P/I:P/A:P)",
+								"v3": "CVSS:3.0/PR:N/UI:N/S:U/C:H/I:H/A:H",
+							},
+							vulnerability.RedHat: map[string]string{
+								"v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
+								"v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+							},
+						},
 					},
 					SeveritySource: vulnerability.RedHat,
 				},