feat(detector): enrich MITRE CVE v5 via vuls2#2586
Merged
Conversation
MaineK00n
force-pushed
the
MaineK00n/enrich-mitre-cve-v5
branch
2 times, most recently
from
96bb598 to
adac705
Compare
MaineK00n
changed the title
MaineK00n
added a commit
to vulsio/vuls-data-db
that referenced
this pull request
Jun 24, 2026
Uncomment vuls-data-extracted-mitre-cve-v5 in db-main.mk so MITRE CVE v5 is included in the main DB build. This backs the vuls MITRE enrich support (future-architect/vuls#2586). Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
MaineK00n
force-pushed
the
MaineK00n/enrich-mitre-cve-v5
branch
5 times, most recently
from
770a8c9 to
7f9fc92
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Migrate MITRE CVE v5 enrichment off go-cve-dictionary and into the vuls2 enrich pipeline, enabling per-CNA/ADP source CveContent entries (including SSVC) sourced from the vuls2 DB.
Changes:
- Add
mitre-cve-v5to the vuls2 enrich datasource filter and implement MITRE v5 enrichment mapping (incl. SSVC + per-source splitting). - Remove the legacy go-cve-dictionary MITRE conversion path.
- Bump
vuls-data-update/vuls2deps and add/update enrich fixtures + tests for MITRE v5 and datasource filtering.
Reviewed changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| models/utils.go | Removes legacy go-cve-dictionary MITRE→model conversion helper. |
| detector/detector.go | Stops filling MITRE CveContents from go-cve-dictionary in FillCvesWithGoCVEDictionary. |
| detector/vuls2/vuls2.go | Adds sourceTypes.MitreCVEV5 to vuls2 enrich datasource filter. |
| detector/vuls2/vendor.go | Adds MITRE v5 enrichment (enrichMitreCVE), SSVC mapping, and MITRE source link handling. |
| detector/vuls2/vuls2_test.go | Adds a positive MITRE v5 enrich test and makes comparisons order-insensitive for multi-entry contents. |
| detector/vuls2/testdata/fixtures/enrich/nvd-api-cve/datasource.json | New fixture datasource for “not in enrich filter” coverage. |
| detector/vuls2/testdata/fixtures/enrich/nvd-api-cve/data/CVE-2020-0001.json | New fixture CVE payload for “not in enrich filter” coverage. |
| detector/vuls2/testdata/fixtures/enrich/mitre-cve-v5/data/CVE-2024-1102.json | Removes prior “filtered out” MITRE fixture now that MITRE is enabled. |
| detector/vuls2/testdata/fixtures/enrich/mitre-cve-v5/data/CVE-2023-44487.json | Updates MITRE fixture to include SSVC + container role metadata. |
| go.mod | Bumps vuls-data-update and vuls2 versions. |
| go.sum | Updates module sums for the bumped dependencies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
MaineK00n
force-pushed
the
MaineK00n/enrich-mitre-cve-v5
branch
from
7f9fc92 to
942cb3b
Compare
Add MITRE CVE v5 (mitre-cve-v5) as a vuls2 enrich data source and remove the MITRE path from FillCvesWithGoCVEDictionary so MITRE CveContent is now sourced from the vuls2 DB. This mirrors the NVD migration in #2575. MITRE content is emitted one entry per CNA/ADP source (rendered as mitre(<source>)) so each source's CVSS, CWE, references, and SSVC decision point are reported separately. - bump vuls-data-update to the revision adding the SSVC content field (#862). - vuls2.go: add sourceTypes.MitreCVEV5 to the enrich DataSources filter. - vendor.go: add enrichMitreCVE (source-split, with SSVC via mitreSSVC) and a Mitre case in cveContentSourceLink. - detector.go / models/utils.go: drop ConvertMitreToModel and its usage. - testdata: add a positive mitre-cve-v5 enrich test (CVE-2023-44487, with a CISA-ADP SSVC); move the "datasource not in filter" case to nvd-api-cve. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
MaineK00n
force-pushed
the
MaineK00n/enrich-mitre-cve-v5
branch
from
942cb3b to
a993991
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What did you implement:
Add MITRE CVE v5 (
mitre-cve-v5) as a vuls2 enrich data source and remove the MITRE path from go-cve-dictionary. MITRECveContentis now sourced from the vuls2 DB via the enrich pipeline rather thanFillCvesWithGoCVEDictionary.This mirrors the NVD migration in #2575 (
feat!(detector): route NVD to vuls2).Motivation
We are progressively moving CVE enrichment off go-cve-dictionary and onto vuls2's enrich pipeline (KEV, exploits, RedHat CVE, NVD, ENISA EUVD, …). MITRE CVE v5 is the next source to migrate.
Changes
vuls-data-updateto the revision that adds theSSVCcontent field (feat(extract/mitre/cve/v5): extract SSVC from CNA/ADP metrics MaineK00n/vuls-data-update#862).vuls2is kept at master's pinned version (Go MVS links the single newervuls-data-updateacross the build).detector/vuls2/vuls2.go: addsourceTypes.MitreCVEV5to the enrichDataSourcesfilter.detector/vuls2/vendor.go: addenrichMitreCVEand aMitrecase incveContentSourceLink. MITRE content is emitted one entry per CNA/ADP source (rendered asmitre(<source>)) so each source's CVSS, CWE, references, and SSVC decision point are reported separately. SSVC options (Exploitation/Automatable/Technical Impact) are mapped tomodels.SSVCviamitreSSVC.detector/detector.go/models/utils.go: dropConvertMitreToModeland its use inFillCvesWithGoCVEDictionary.mitre-cve-v5enrich test (CVE-2023-44487, including aCISA-ADPSSVC entry); move the "datasource not in filter" case to a newnvd-api-cvefixture.Notes
mitre-cve-v5data extracted with vuls-data-update#862 (db pipeline: ci(db): enable mitre-cve-v5 in db-main vulsio/vuls-data-db#177).Fixes # (issue)
Type of change
How Has This Been Tested?
go build ./...go vet ./detector/... ./models/...make fmt(gofmt clean on touched files)go test ./detector/... ./models/...— all pass, including themitre-cve-v5Test_enrichcase (asserts source-split contents + SSVC).Checklist:
make fmtmake testIs this ready for review?: NO
🤖 Generated with Claude Code