stackrox
diff --git a/‎api/v1/models.go‎
Lines changed: 1 addition & 1 deletion b/‎api/v1/models.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎api/v1/nodescan/service.go‎
Lines changed: 7 additions & 7 deletions b/‎api/v1/nodescan/service.go‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎api/v1/severity.go‎
Lines changed: 31 additions & 0 deletions b/‎api/v1/severity.go‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎cmd/updater/diffdumps/cmd.go‎
Lines changed: 9 additions & 2 deletions b/‎cmd/updater/diffdumps/cmd.go‎
Lines changed: 9 additions & 2 deletions
diff --git a/‎cpe/cpe_test.go‎
Lines changed: 1 addition & 1 deletion b/‎cpe/cpe_test.go‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎e2etests/node_scan_test.go‎
Lines changed: 20 additions & 0 deletions b/‎e2etests/node_scan_test.go‎
Lines changed: 20 additions & 0 deletions
@@ -146,7 +146,7 @@ func VulnerabilityFromDatabaseModel(dbVuln database.Vulnerability) Vulnerability
 		NamespaceName: dbVuln.Namespace.Name,
 		Description:   dbVuln.Description,
 		Link:          dbVuln.Link,
-		Severity:      string(dbVuln.Severity),
+		Severity:      string(databaseVulnToSeverity(dbVuln)),
 		Metadata:      dbVuln.Metadata,
 	}
 	if dbVuln.FixedBy != versionfmt.MaxVersion {
 
@@ -89,7 +89,7 @@ func featureVersionToKernelComponent(fv database.FeatureVersion) *v1.GetNodeVuln
 	}
 }
 
-func (s *serviceImpl) evaluateLinuxKernelVulns(req *v1.GetNodeVulnerabilitiesRequest) ([]*v1.Vulnerability, *v1.GetNodeVulnerabilitiesResponse_KernelComponent, error) {
+func (s *serviceImpl) evaluateLinuxKernelVulns(req *v1.GetNodeVulnerabilitiesRequest) (string, []*v1.Vulnerability, *v1.GetNodeVulnerabilitiesResponse_KernelComponent, error) {
 	osImage := strings.ToLower(req.GetOsImage())
 
 	var match *kernelparser.ParseMatch
@@ -98,14 +98,14 @@ func (s *serviceImpl) evaluateLinuxKernelVulns(req *v1.GetNodeVulnerabilitiesReq
 		var err error
 		match, ok, err = parser(s.db, req.GetKernelVersion(), osImage)
 		if err != nil {
-			return nil, nil, err
+			return "", nil, nil, err
 		}
 		if !ok {
 			continue
 		}
 		if match == nil {
 			log.Debugf("%s %s matched %s, but no match found", osImage, req.GetKernelVersion(), name)
-			return nil, nil, nil
+			return "", nil, nil, nil
 		}
 		break
 	}
@@ -114,7 +114,7 @@ func (s *serviceImpl) evaluateLinuxKernelVulns(req *v1.GetNodeVulnerabilitiesReq
 		// Did not find relevant OS-specific kernel parser.
 		// Defaulting to general kernel vulns from NVD.
 		vulns, err := s.getNVDVulns("linux", "linux_kernel", req.GetKernelVersion())
-		return vulns, &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
+		return "", vulns, &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 			Name:    "kernel",
 			Version: req.GetKernelVersion(),
 		}, err
@@ -133,7 +133,7 @@ func (s *serviceImpl) evaluateLinuxKernelVulns(req *v1.GetNodeVulnerabilitiesReq
 
 	databaseVulns, err := s.db.GetVulnerabilitiesForFeatureVersion(fv)
 	if err != nil {
-		return nil, nil, err
+		return match.Namespace, nil, nil, err
 	}
 
 	vulns := make([]*v1.Vulnerability, 0, len(databaseVulns))
@@ -159,7 +159,7 @@ func (s *serviceImpl) evaluateLinuxKernelVulns(req *v1.GetNodeVulnerabilitiesReq
 		return vulns[i].Name < vulns[j].Name
 	})
 
-	return filterInvalidVulns(vulns), featureVersionToKernelComponent(fv), nil
+	return match.Namespace, filterInvalidVulns(vulns), featureVersionToKernelComponent(fv), nil
 }
 
 func (s *serviceImpl) getKubernetesVuln(name, version string) ([]*v1.Vulnerability, error) {
@@ -215,7 +215,7 @@ func (s *serviceImpl) GetNodeVulnerabilities(_ context.Context, req *v1.GetNodeV
 	var err error
 	var resp v1.GetNodeVulnerabilitiesResponse
 
-	resp.KernelVulnerabilities, resp.KernelComponent, err = s.evaluateLinuxKernelVulns(req)
+	resp.OperatingSystem, resp.KernelVulnerabilities, resp.KernelComponent, err = s.evaluateLinuxKernelVulns(req)
 	if err != nil {
 		return nil, status.Error(codes.Internal, err.Error())
 	}
 
@@ -0,0 +1,31 @@
+package v1
+
+import "github.com/stackrox/scanner/database"
+
+// Severity is the uniform severity returned through the API
+type Severity string
+
+// Severity settings for vulnerabilities
+const (
+	UnknownSeverity   Severity = "Unknown"
+	LowSeverity       Severity = "Low"
+	ModerateSeverity  Severity = "Moderate"
+	ImportantSeverity Severity = "Important"
+	CriticalSeverity  Severity = "Critical"
+)
+
+func databaseVulnToSeverity(dbVuln database.Vulnerability) Severity {
+	switch dbVuln.Severity {
+	case database.UnknownSeverity:
+		return UnknownSeverity
+	case database.NegligibleSeverity, database.LowSeverity:
+		return LowSeverity
+	case database.MediumSeverity:
+		return ModerateSeverity
+	case database.HighSeverity:
+		return ImportantSeverity
+	case database.CriticalSeverity, database.Defcon1Severity:
+		return CriticalSeverity
+	}
+	return LowSeverity
+}
@@ -187,9 +187,15 @@ func sortFeatureVersionSlice(slice []database.FeatureVersion) {
 	})
 }
 
-func vulnsAreEqual(v1, v2 database.Vulnerability) bool {
+func vulnsAreEqual(v1, v2 database.Vulnerability, skipSeverityComparison bool) bool {
 	sortFeatureVersionSlice(v1.FixedIn)
 	sortFeatureVersionSlice(v2.FixedIn)
+
+	if skipSeverityComparison {
+		// It is fine to set this to unknown w/o side effects because the vulns are passed by value and not reference
+		v1.Severity = database.UnknownSeverity
+		v2.Severity = database.UnknownSeverity
+	}
 	return reflect.DeepEqual(v1, v2)
 }
 
@@ -263,7 +269,7 @@ func generateOSVulnsDiff(outputDir string, baseZipR *zip.ReadCloser, headZipR *z
 		matchingBaseVuln, found := baseVulnsMap[key]
 		// If the vuln was in the base, and equal to what was in the base,
 		// skip it. Else, add.
-		if !(found && vulnsAreEqual(matchingBaseVuln, headVuln)) {
+		if !(found && vulnsAreEqual(matchingBaseVuln, headVuln, cfg.SkipSeverityComparison)) {
 			filtered = append(filtered, headVuln)
 		}
 	}
@@ -287,6 +293,7 @@ type config struct {
 	SkipFixableCentOSVulns     bool `json:"skipFixableCentOSVulns"`
 	IgnoreKubernetesVulns      bool `json:"ignoreKubernetesVulns"`
 	SkipUbuntuLinuxKernelVulns bool `json:"skipUbuntuLinuxKernelVulns"`
+	SkipSeverityComparison     bool `json:"skipSeverityComparison"`
 }
 
 func Command() *cobra.Command {
 
@@ -186,7 +186,7 @@ func newDatabaseVuln(id string) database.Vulnerability {
 	return database.Vulnerability{
 		Name:     id,
 		Link:     fmt.Sprintf("https://nvd.nist.gov/vuln/detail/%s", id),
-		Severity: "",
+		Severity: database.UnknownSeverity,
 		Metadata: map[string]interface{}{
 			"NVD": &types.Metadata{},
 		},
 
@@ -230,6 +230,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 		osImage       string
 		kernelVersion string
 
+		expectedOS              string
 		expectedKernelComponent *v1.GetNodeVulnerabilitiesResponse_KernelComponent
 		expectedCVEs            []expectedCVE
 		unexpectedCVEs          []string
@@ -239,6 +240,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Ubuntu 20.04.1 LTS",
 			kernelVersion: "5.4.0-51",
 
+			expectedOS: "ubuntu:20.04",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux",
 				Version: "5.4.0-51",
@@ -254,6 +256,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Ubuntu 16.04.7 LTS",
 			kernelVersion: "4.15.0-1050-gcp",
 
+			expectedOS: "ubuntu:16.04",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux-gcp",
 				Version: "4.15.0-1050",
@@ -273,6 +276,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Ubuntu 16.04.7 LTS",
 			kernelVersion: "4.2.0-1119-aws",
 
+			expectedOS: "ubuntu:16.04",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux-aws",
 				Version: "4.2.0-1119",
@@ -291,6 +295,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Ubuntu 18.04.5 LTS",
 			kernelVersion: "4.15.0-1050-aws",
 
+			expectedOS: "ubuntu:18.04",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux-aws",
 				Version: "4.15.0-1050",
@@ -311,6 +316,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Ubuntu 18.04.5 LTS",
 			kernelVersion: "5.3.0-1019-gke",
 
+			expectedOS: "ubuntu:18.04",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux-gke-5.3",
 				Version: "5.3.0-1019",
@@ -331,6 +337,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Debian GNU/Linux 9 (stretch)",
 			kernelVersion: "4.9.0-11-amd64",
 
+			expectedOS: "debian:9",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux",
 				Version: "4.9.0-11-amd64",
@@ -351,6 +358,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "OpenShift Enterprise",
 			kernelVersion: "3.10.0-1127.el7.x86_64",
 
+			expectedOS: "centos:7",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "kernel",
 				Version: "3.10.0-1127.el7.x86_64",
@@ -365,6 +373,8 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 		{
 			osImage:       "Red Hat Enterprise Linux Server 7.8 (Maipo)",
 			kernelVersion: "3.10.0-1127.19.1.el7.x86_64",
+
+			expectedOS: "centos:7",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "kernel",
 				Version: "3.10.0-1127.19.1.el7.x86_64",
@@ -379,6 +389,8 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 		{
 			osImage:       "CentOS Linux 7 (Core)",
 			kernelVersion: "3.10.0-957.12.2.el7.x86_64",
+
+			expectedOS: "centos:7",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "kernel",
 				Version: "3.10.0-957.12.2.el7.x86_64",
@@ -393,6 +405,8 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 		{
 			osImage:       "Red Hat Enterprise Linux CoreOS 45.82.202008101249-0 (Ootpa)",
 			kernelVersion: "4.18.0-193.14.3.el8_2.x86_64",
+
+			expectedOS: "centos:8",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "kernel",
 				Version: "4.18.0-193.14.3.el8_2.x86_64",
@@ -409,6 +423,8 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 		{
 			osImage:       "Amazon Linux 2",
 			kernelVersion: "4.14.177-139.253.amzn2.x86_64",
+
+			expectedOS: "amzn:2",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "kernel",
 				Version: "4.14.177-139.253.amzn2.x86_64",
@@ -427,6 +443,8 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 		{
 			osImage:       "Docker Desktop",
 			kernelVersion: "5.4.39-linuxkit",
+
+			expectedOS: "",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "kernel",
 				Version: "5.4.39-linuxkit",
@@ -443,6 +461,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			osImage:       "Garden Linux 184.0",
 			kernelVersion: "5.4.0-5-cloud-amd64",
 
+			expectedOS: "debian:11",
 			expectedKernelComponent: &v1.GetNodeVulnerabilitiesResponse_KernelComponent{
 				Name:    "linux",
 				Version: "5.4.0-5-cloud-amd64",
@@ -468,6 +487,7 @@ func TestNodeKernelVulnerabilities(t *testing.T) {
 			})
 			require.NoError(t, err)
 
+			assert.Equal(t, c.expectedOS, resp.GetOperatingSystem())
 			assert.Equal(t, c.expectedKernelComponent, resp.KernelComponent)
 
 			if len(resp.GetKernelVulnerabilities()) < len(c.expectedCVEs) {
Original file line number	Diff line number	Diff line change
`@@ -146,7 +146,7 @@ func VulnerabilityFromDatabaseModel(dbVuln database.Vulnerability) Vulnerability`
`146`	`146`	`NamespaceName: dbVuln.Namespace.Name,`
`147`	`147`	`Description: dbVuln.Description,`
`148`	`148`	`Link: dbVuln.Link,`
`149`		`- Severity: string(dbVuln.Severity),`
	`149`	`+ Severity: string(databaseVulnToSeverity(dbVuln)),`
`150`	`150`	`Metadata: dbVuln.Metadata,`
`151`	`151`	`}`
`152`	`152`	`if dbVuln.FixedBy != versionfmt.MaxVersion {`
Original file line number	Diff line number	Diff line change
`@@ -187,9 +187,15 @@ func sortFeatureVersionSlice(slice []database.FeatureVersion) {`
`187`	`187`	`})`
`188`	`188`	`}`
`189`	`189`
`190`		`-func vulnsAreEqual(v1, v2 database.Vulnerability) bool {`
	`190`	`+func vulnsAreEqual(v1, v2 database.Vulnerability, skipSeverityComparison bool) bool {`
`191`	`191`	`sortFeatureVersionSlice(v1.FixedIn)`
`192`	`192`	`sortFeatureVersionSlice(v2.FixedIn)`
	`193`	`+`
	`194`	`+ if skipSeverityComparison {`
	`195`	`+ // It is fine to set this to unknown w/o side effects because the vulns are passed by value and not reference`
	`196`	`+ v1.Severity = database.UnknownSeverity`
	`197`	`+ v2.Severity = database.UnknownSeverity`
	`198`	`+ }`
`193`	`199`	`return reflect.DeepEqual(v1, v2)`
`194`	`200`	`}`
`195`	`201`
`@@ -263,7 +269,7 @@ func generateOSVulnsDiff(outputDir string, baseZipR zip.ReadCloser, headZipR z`
`263`	`269`	`matchingBaseVuln, found := baseVulnsMap[key]`
`264`	`270`	`// If the vuln was in the base, and equal to what was in the base,`
`265`	`271`	`// skip it. Else, add.`
`266`		`- if !(found && vulnsAreEqual(matchingBaseVuln, headVuln)) {`
	`272`	`+ if !(found && vulnsAreEqual(matchingBaseVuln, headVuln, cfg.SkipSeverityComparison)) {`
`267`	`273`	`filtered = append(filtered, headVuln)`
`268`	`274`	`}`
`269`	`275`	`}`
`@@ -287,6 +293,7 @@ type config struct {`
`287`	`293`	SkipFixableCentOSVulns bool `json:"skipFixableCentOSVulns"`
`288`	`294`	IgnoreKubernetesVulns bool `json:"ignoreKubernetesVulns"`
`289`	`295`	SkipUbuntuLinuxKernelVulns bool `json:"skipUbuntuLinuxKernelVulns"`
	`296`	+ SkipSeverityComparison bool `json:"skipSeverityComparison"`
`290`	`297`	`}`
`291`	`298`
`292`	`299`	`func Command() *cobra.Command {`