Set disputed status for grype db vulnerability handles where the entry is flagged as disputed in nvd

[westonsteimel]

What happened:

Currently, there are no vulnerability handle records from the nvd provider that are marked with a status of disputed even though there are records tagged as disputed from the NVD api. This is because currently the grype vulnerability handle status is only calculated from the vulnStatus property of the NVD record and for that particular API the status isn't used to mark as disputed, but rather a "disputed" label is added into cveTags from https://csrc.nist.gov/schema/nvd/api/2.0/cve_api_json_2.0.schema.

So, we should update the NVD unmarshaller at

grype/grype/db/internal/provider/unmarshal/nvd/cve.go

Line 43 in 9d54499

type CveItem struct {

to capture the cveTags and then consider them when determining status in

grype/grype/db/v6/build/transformers/nvd/transform.go

Line 96 in 9d54499

func getVulnStatus(vuln unmarshal.NVDVulnerability) db.VulnerabilityStatus {

What you expected to happen:

NVD records flagged as disputed should have the vulnerability handle status set to disputed in the grype database

How to reproduce it (as minimally and precisely as possible):

https://nvd.nist.gov/vuln/detail/CVE-2001-1517 as an example of an NVD CVE entry that is marked as disputed and which we get the following vunnel result for:

{
  "schema": "https://raw.githubusercontent.com/anchore/vunnel/main/schema/vulnerability/nvd/schema-1.0.1.json",
  "identifier": "2001/cve-2001-1517",
  "item": {
    "cve": {
      "id": "CVE-2001-1517",
      "sourceIdentifier": "cve@mitre.org",
      "published": "2001-12-31T05:00:00.000",
      "lastModified": "2025-04-03T01:03:51.193",
      "vulnStatus": "Deferred",
      "cveTags": [
        {
          "sourceIdentifier": "cve@mitre.org",
          "tags": [
            "disputed"
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RunAs (runas.exe) in Windows 2000 stores cleartext authentication information in memory, which could allow attackers to obtain usernames and passwords by executing a process that is allocated the same memory page after termination of a RunAs command.  NOTE: the vendor disputes this issue, saying that administrative privileges are already required to exploit it, and the original researcher did not respond to requests for additional information"
        }
      ],
      "metrics": {
        "cvssMetricV2": [
          {
            "source": "nvd@nist.gov",
            "type": "Primary",
            "cvssData": {
              "version": "2.0",
              "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N",
              "baseScore": 2.1,
              "accessVector": "LOCAL",
              "accessComplexity": "LOW",
              "authentication": "NONE",
              "confidentialityImpact": "PARTIAL",
              "integrityImpact": "NONE",
              "availabilityImpact": "NONE"
            },
            "baseSeverity": "LOW",
            "exploitabilityScore": 3.9,
            "impactScore": 2.9,
            "acInsufInfo": false,
            "obtainAllPrivilege": false,
            "obtainUserPrivilege": false,
            "obtainOtherPrivilege": false,
            "userInteractionRequired": false
          }
        ]
      },
      "weaknesses": [
        {
          "source": "nvd@nist.gov",
          "type": "Primary",
          "description": [
            {
              "lang": "en",
              "value": "NVD-CWE-Other"
            }
          ]
        }
      ],
      "configurations": [
        {
          "nodes": [
            {
              "operator": "OR",
              "negate": false,
              "cpeMatch": [
                {
                  "vulnerable": true,
                  "criteria": "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*",
                  "matchCriteriaId": "4E545C63-FE9C-4CA1-AF0F-D999D84D2AFD"
                },
                {
                  "vulnerable": true,
                  "criteria": "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*",
                  "matchCriteriaId": "294EBA01-147B-4DA0-937E-ACBB655EDE53"
                },
                {
                  "vulnerable": true,
                  "criteria": "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*",
                  "matchCriteriaId": "4E8B7346-F2AA-434C-A048-7463EC1BB117"
                }
              ]
            }
          ]
        }
      ],
      "references": [
        {
          "url": "http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0041.html",
          "source": "cve@mitre.org",
          "tags": [
            "Patch",
            "Vendor Advisory"
          ]
        },
        {
          "url": "http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00100.html",
          "source": "cve@mitre.org"
        },
        {
          "url": "http://www.iss.net/security_center/static/7531.php",
          "source": "cve@mitre.org",
          "tags": [
            "Patch"
          ]
        },
        {
          "url": "http://www.securityfocus.com/bid/3184",
          "source": "cve@mitre.org"
        },
        {
          "url": "http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0041.html",
          "source": "af854a3a-2127-422b-91ae-364da2661108",
          "tags": [
            "Patch",
            "Vendor Advisory"
          ]
        },
        {
          "url": "http://cert.uni-stuttgart.de/archive/bugtraq/2001/11/msg00100.html",
          "source": "af854a3a-2127-422b-91ae-364da2661108"
        },
        {
          "url": "http://www.iss.net/security_center/static/7531.php",
          "source": "af854a3a-2127-422b-91ae-364da2661108",
          "tags": [
            "Patch"
          ]
        },
        {
          "url": "http://www.securityfocus.com/bid/3184",
          "source": "af854a3a-2127-422b-91ae-364da2661108"
        }
      ]
    }
  }
}