anchore
diff --git a/‎pkg/process/v6/transformers/nvd/affected_range.go‎
Lines changed: 2 additions & 0 deletions b/‎pkg/process/v6/transformers/nvd/affected_range.go‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎pkg/process/v6/transformers/nvd/affected_range_test.go‎
Lines changed: 57 additions & 0 deletions b/‎pkg/process/v6/transformers/nvd/affected_range_test.go‎
Lines changed: 57 additions & 0 deletions
diff --git a/‎pkg/process/v6/transformers/nvd/test-fixtures/fix-version.json‎
Lines changed: 170 additions & 0 deletions b/‎pkg/process/v6/transformers/nvd/test-fixtures/fix-version.json‎
Lines changed: 170 additions & 0 deletions
@@ -18,6 +18,7 @@ type affectedCPERange struct {
 	VersionStartExcluding string
 	VersionEndIncluding   string
 	VersionEndExcluding   string
+	FixInfo               *nvd.FixInfo
 }
 
 func newAffectedRanges(rs ...affectedCPERange) affectedRangeSet {
@@ -32,6 +33,7 @@ func newAffectedRange(match nvd.CpeMatch) affectedCPERange {
 		VersionStartExcluding: nonEmptyValue(match.VersionStartExcluding),
 		VersionEndIncluding:   nonEmptyValue(match.VersionEndIncluding),
 		VersionEndExcluding:   nonEmptyValue(match.VersionEndExcluding),
+		FixInfo:               match.Fix,
 	}
 }
 
 
@@ -4,6 +4,8 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+
+	"github.com/anchore/grype-db/pkg/provider/unmarshal/nvd"
 )
 
 func Test_AffectedCPERange_String(t *testing.T) {
@@ -124,3 +126,58 @@ func Test_AffectedCPERange_String(t *testing.T) {
 		})
 	}
 }
+
+func Test_newAffectedRange(t *testing.T) {
+	tests := []struct {
+		name     string
+		match    nvd.CpeMatch
+		expected affectedCPERange
+	}{
+		{
+			name: "basic range without fix info",
+			match: nvd.CpeMatch{
+				VersionStartIncluding: stringPtr("1.0"),
+				VersionEndExcluding:   stringPtr("2.0"),
+			},
+			expected: affectedCPERange{
+				VersionStartIncluding: "1.0",
+				VersionEndExcluding:   "2.0",
+				FixInfo:               nil,
+			},
+		},
+		{
+			name: "range with fix info",
+			match: nvd.CpeMatch{
+				VersionStartIncluding: stringPtr("1.0"),
+				VersionEndExcluding:   stringPtr("2.0"),
+				Fix: &nvd.FixInfo{
+					Version: "2.0",
+					Date:    "2023-06-15",
+					Kind:    "advisory",
+				},
+			},
+			expected: affectedCPERange{
+				VersionStartIncluding: "1.0",
+				VersionEndExcluding:   "2.0",
+				FixInfo: &nvd.FixInfo{
+					Version: "2.0",
+					Date:    "2023-06-15",
+					Kind:    "advisory",
+				},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			actual := newAffectedRange(tt.match)
+			if diff := cmp.Diff(tt.expected, actual); diff != "" {
+				t.Errorf("newAffectedRange() mismatch (-want +got):\n%s", diff)
+			}
+		})
+	}
+}
+
+func stringPtr(s string) *string {
+	return &s
+}
@@ -0,0 +1,170 @@
+{
+  "cve": {
+    "id": "CVE-2018-5487",
+    "sourceIdentifier": "security-alert@netapp.com",
+    "published": "2018-05-24T14:29:00.390",
+    "lastModified": "2018-07-05T13:52:30.627",
+    "vulnStatus": "Analyzed",
+    "descriptions": [
+      {
+        "lang": "en",
+        "value": "NetApp OnCommand Unified Manager for Linux versions 7.2 through 7.3 ship with the Java Management Extension Remote Method Invocation (JMX RMI) service bound to the network, and are susceptible to unauthenticated remote code execution."
+      },
+      {
+        "lang": "es",
+        "value": "NetApp OnCommand Unified Manager for Linux, de la versión 7.2 hasta la 7.3, se distribuye con el servicio Java Management Extension Remote Method Invocation (JMX RMI) enlazado a la red y es susceptible a la ejecución remota de código sin autenticación."
+      }
+    ],
+    "metrics": {
+      "cvssMetricV40": [
+        {
+          "source": "security@zabbix.com",
+          "type": "Secondary",
+          "cvssData": {
+            "version": "4.0",
+            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
+            "baseScore": 7.5,
+            "baseSeverity": "HIGH",
+            "attackVector": "NETWORK",
+            "attackComplexity": "HIGH",
+            "attackRequirements": "NONE",
+            "privilegesRequired": "NONE",
+            "userInteraction": "ACTIVE",
+            "vulnConfidentialityImpact": "HIGH",
+            "vulnIntegrityImpact": "HIGH",
+            "vulnAvailabilityImpact": "HIGH",
+            "subConfidentialityImpact": "NONE",
+            "subIntegrityImpact": "NONE",
+            "subAvailabilityImpact": "NONE",
+            "exploitMaturity": "NOT_DEFINED",
+            "confidentialityRequirement": "NOT_DEFINED",
+            "integrityRequirement": "NOT_DEFINED",
+            "availabilityRequirement": "NOT_DEFINED",
+            "modifiedAttackVector": "NOT_DEFINED",
+            "modifiedAttackComplexity": "NOT_DEFINED",
+            "modifiedAttackRequirements": "NOT_DEFINED",
+            "modifiedPrivilegesRequired": "NOT_DEFINED",
+            "modifiedUserInteraction": "NOT_DEFINED",
+            "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
+            "modifiedVulnIntegrityImpact": "NOT_DEFINED",
+            "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
+            "modifiedSubConfidentialityImpact": "NOT_DEFINED",
+            "modifiedSubIntegrityImpact": "NOT_DEFINED",
+            "modifiedSubAvailabilityImpact": "NOT_DEFINED",
+            "Safety": "NOT_DEFINED",
+            "Automatable": "NOT_DEFINED",
+            "Recovery": "NOT_DEFINED",
+            "valueDensity": "NOT_DEFINED",
+            "vulnerabilityResponseEffort": "NOT_DEFINED",
+            "providerUrgency": "NOT_DEFINED"
+          }
+        }
+      ],
+      "cvssMetricV30": [
+        {
+          "source": "nvd@nist.gov",
+          "type": "Primary",
+          "cvssData": {
+            "version": "3.0",
+            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+            "attackVector": "NETWORK",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "NONE",
+            "userInteraction": "NONE",
+            "scope": "UNCHANGED",
+            "confidentialityImpact": "HIGH",
+            "integrityImpact": "HIGH",
+            "availabilityImpact": "HIGH",
+            "baseScore": 9.8,
+            "baseSeverity": "CRITICAL"
+          },
+          "exploitabilityScore": 3.9,
+          "impactScore": 5.9
+        }
+      ],
+      "cvssMetricV2": [
+        {
+          "source": "nvd@nist.gov",
+          "type": "Primary",
+          "cvssData": {
+            "version": "2.0",
+            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
+            "accessVector": "NETWORK",
+            "accessComplexity": "LOW",
+            "authentication": "NONE",
+            "confidentialityImpact": "PARTIAL",
+            "integrityImpact": "PARTIAL",
+            "availabilityImpact": "PARTIAL",
+            "baseScore": 7.5
+          },
+          "baseSeverity": "HIGH",
+          "exploitabilityScore": 10.0,
+          "impactScore": 6.4,
+          "acInsufInfo": true,
+          "obtainAllPrivilege": false,
+          "obtainUserPrivilege": false,
+          "obtainOtherPrivilege": false,
+          "userInteractionRequired": false
+        }
+      ]
+    },
+    "weaknesses": [
+      {
+        "source": "nvd@nist.gov",
+        "type": "Primary",
+        "description": [
+          {
+            "lang": "en",
+            "value": "CWE-20"
+          }
+        ]
+      }
+    ],
+    "configurations": [
+      {
+        "operator": "AND",
+        "nodes": [
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": true,
+                "criteria": "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*",
+                "versionStartIncluding": "7.2",
+                "versionEndExcluding": "7.3",
+                "matchCriteriaId": "A5949307-3E9B-441F-B008-81A0E0228DC0",
+                "fix": {
+                  "version": "7.3",
+                  "date": "2018-05-23",
+                  "kind": "advisory"
+                }
+              }
+            ]
+          },
+          {
+            "operator": "OR",
+            "negate": false,
+            "cpeMatch": [
+              {
+                "vulnerable": false,
+                "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*",
+                "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"
+              }
+            ]
+          }
+        ]
+      }
+    ],
+    "references": [
+      {
+        "url": "https://security.netapp.com/advisory/ntap-20180523-0001/",
+        "source": "security-alert@netapp.com",
+        "tags": [
+          "Patch",
+          "Vendor Advisory"
+        ]
+      }
+    ]
+  }
+}
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ type affectedCPERange struct {`
`18`	`18`	`VersionStartExcluding string`
`19`	`19`	`VersionEndIncluding string`
`20`	`20`	`VersionEndExcluding string`
	`21`	`+ FixInfo *nvd.FixInfo`
`21`	`22`	`}`
`22`	`23`
`23`	`24`	`func newAffectedRanges(rs ...affectedCPERange) affectedRangeSet {`
`@@ -32,6 +33,7 @@ func newAffectedRange(match nvd.CpeMatch) affectedCPERange {`
`32`	`33`	`VersionStartExcluding: nonEmptyValue(match.VersionStartExcluding),`
`33`	`34`	`VersionEndIncluding: nonEmptyValue(match.VersionEndIncluding),`
`34`	`35`	`VersionEndExcluding: nonEmptyValue(match.VersionEndExcluding),`
	`36`	`+ FixInfo: match.Fix,`
`35`	`37`	`}`
`36`	`38`	`}`
`37`	`39`