feat(db): populate vulnerability information with published & modified dates from GHSA (OSV) if NVD dates are not present (#527)

Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>

Author: mhbardsley

pkg/types/types.go

@@ -81,8 +81,8 @@ type VulnerabilityDetail struct {
 	References       []string   `json:",omitempty"`
 	Title            string     `json:",omitempty"`
 	Description      string     `json:",omitempty"`
-	PublishedDate    *time.Time `json:",omitempty"` // Take from NVD
-	LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD
+	PublishedDate    *time.Time `json:",omitempty"` // Take from NVD or GHSA
+	LastModifiedDate *time.Time `json:",omitempty"` // Take from NVD or GHSA
 }
 
 type AdvisoryDetail struct {

pkg/vulndb/db.go

@@ -147,7 +147,7 @@ func (t TrivyDB) optimize() error {
 			return nil
 		}
 
-		vuln := t.vulnClient.Normalize(details)
+		vuln := t.vulnClient.Normalize(cveID, details)
 		if err := t.dbc.PutVulnerability(tx, cveID, vuln); err != nil {
 			return eb.Wrapf(err, "failed to put vulnerability")
 		}

pkg/vulnsrc/aqua/aqua_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/utils"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/aqua"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
@@ -64,8 +65,10 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/ultralytics/ultralytics/issues/18027",
 							"https://github.com/ultralytics/ultralytics/issues/18030",
 						},
-						CvssScoreV3:  9.8,
-						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+						CvssScoreV3:      9.8,
+						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+						LastModifiedDate: utils.MustTimeParse("2024-12-18T12:00:00Z"),
+						PublishedDate:    utils.MustTimeParse("2024-12-18T12:00:00Z"),
 					},
 				},
 				{

pkg/vulnsrc/ghsa/ghsa_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/utils"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/ghsa"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
@@ -62,9 +63,11 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/advisories/GHSA-xx65-cc7g-9pfp",
 							"https://pivotal.io/security/cve-2018-1196",
 						},
-						Severity:     types.SeverityMedium,
-						CvssVectorV3: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
-						CvssScoreV3:  5.9,
+						Severity:         types.SeverityMedium,
+						CvssVectorV3:     "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
+						CvssScoreV3:      5.9,
+						LastModifiedDate: utils.MustTimeParse("2021-09-22T18:26:44Z"),
+						PublishedDate:    utils.MustTimeParse("2018-10-18T18:05:57Z"),
 					},
 				},
 				{
@@ -128,9 +131,11 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/FCncdn/MybatisPlusTenantPluginSQLInjection-POC/blob/master/Readme.en.md",
 							"https://github.com/baomidou/mybatis-plus",
 						},
-						Severity:     types.SeverityCritical,
-						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
-						CvssScoreV3:  9.8,
+						Severity:         types.SeverityCritical,
+						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+						CvssScoreV3:      9.8,
+						LastModifiedDate: utils.MustTimeParse("2023-04-14T20:31:15Z"),
+						PublishedDate:    utils.MustTimeParse("2023-04-05T15:30:24Z"),
 					},
 				},
 				{
@@ -181,9 +186,11 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/bodil/sized-chunks",
 							"https://rustsec.org/advisories/RUSTSEC-2020-0041.html",
 						},
-						Severity:     types.SeverityHigh,
-						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
-						CvssScoreV3:  7.5,
+						Severity:         types.SeverityHigh,
+						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+						CvssScoreV3:      7.5,
+						LastModifiedDate: utils.MustTimeParse("2022-06-14T20:54:51Z"),
+						PublishedDate:    utils.MustTimeParse("2021-08-25T20:46:06Z"),
 					},
 				},
 				{
@@ -240,9 +247,11 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/sophieschmieg/exploits/tree/master/aws_s3_crypto_poc",
 							"https://pkg.go.dev/vuln/GO-2022-0646",
 						},
-						Severity:     types.SeverityMedium,
-						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
-						CvssScoreV3:  8.8,
+						Severity:         types.SeverityMedium,
+						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
+						CvssScoreV3:      8.8,
+						LastModifiedDate: utils.MustTimeParse("2023-02-07T21:27:07Z"),
+						PublishedDate:    utils.MustTimeParse("2022-02-11T23:26:26Z"),
 					},
 				},
 				{
@@ -358,9 +367,11 @@ func TestVulnSrc_Update(t *testing.T) {
 							"https://github.com/apple/swift-nio/commit/a16e2f54a25b2af217044e5168997009a505930f",
 							"https://github.com/apple/swift-nio",
 						},
-						Severity:     types.SeverityMedium,
-						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
-						CvssScoreV3:  5.3,
+						Severity:         types.SeverityMedium,
+						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
+						CvssScoreV3:      5.3,
+						LastModifiedDate: utils.MustTimeParse("2023-06-07T16:01:53Z"),
+						PublishedDate:    utils.MustTimeParse("2023-06-07T16:01:53Z"),
 					},
 				},
 				{

pkg/vulnsrc/k8svulndb/k8svulndb_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/utils"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/k8svulndb"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
@@ -40,11 +41,13 @@ func TestVulnSrc_Update(t *testing.T) {
 						string(vulnerability.Kubernetes),
 					},
 					Value: types.VulnerabilityDetail{
-						Title:        "Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin",
-						Description:  "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.",
-						References:   []string{"https: //www.cve.org/cverecord?id=CVE-2023-2727"},
-						CvssVectorV3: "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
-						CvssScoreV3:  6.5,
+						Title:            "Bypassing policies imposed by the ImagePolicyWebhook and bypassing mountable secrets policy imposed by the ServiceAccount admission plugin",
+						Description:      "Users may be able to launch containers using images that are restricted by ImagePolicyWebhook when using ephemeral containers. Kubernetes clusters are only affected if the ImagePolicyWebhook admission plugin is used together with ephemeral containers.",
+						References:       []string{"https: //www.cve.org/cverecord?id=CVE-2023-2727"},
+						CvssVectorV3:     "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
+						CvssScoreV3:      6.5,
+						LastModifiedDate: utils.MustTimeParse("2023-06-13T14:42:06Z"),
+						PublishedDate:    utils.MustTimeParse("2023-06-13T14:42:06Z"),
 					},
 				},
 			},

pkg/vulnsrc/osv/osv.go

@@ -42,6 +42,8 @@ type Advisory struct {
 	References   []string
 	CVSSScoreV3  float64
 	CVSSVectorV3 string
+	Modified     time.Time
+	Published    time.Time
 
 	// From affected[].database_specific
 	DatabaseSpecific json.RawMessage
@@ -180,12 +182,14 @@ func (o OSV) commit(tx *bolt.Tx, entry Entry) error {
 
 		// Store vulnerability details
 		vuln := types.VulnerabilityDetail{
-			Severity:     adv.Severity,
-			References:   adv.References,
-			Title:        adv.Title,
-			Description:  adv.Description,
-			CvssScoreV3:  adv.CVSSScoreV3,
-			CvssVectorV3: adv.CVSSVectorV3,
+			Severity:         adv.Severity,
+			References:       adv.References,
+			Title:            adv.Title,
+			Description:      adv.Description,
+			CvssScoreV3:      adv.CVSSScoreV3,
+			CvssVectorV3:     adv.CVSSVectorV3,
+			PublishedDate:    lo.Ternary(!adv.Published.IsZero(), &adv.Published, nil),
+			LastModifiedDate: lo.Ternary(!adv.Modified.IsZero(), &adv.Modified, nil),
 		}
 
 		if err = o.dbc.PutVulnerabilityDetail(tx, adv.VulnerabilityID, o.sourceID, vuln); err != nil {
@@ -253,6 +257,8 @@ func (o OSV) parseAffected(entry Entry, vulnIDs, aliases, references []string) (
 					References:         references,
 					CVSSVectorV3:       cvssVectorV3,
 					CVSSScoreV3:        cvssScoreV3,
+					Modified:           entry.Modified,
+					Published:          entry.Published,
 					DatabaseSpecific:   affected.DatabaseSpecific,
 				}
 			}

pkg/vulnsrc/osv/osv_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy-db/pkg/utils"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/osv"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy-db/pkg/vulnsrctest"
@@ -63,6 +64,8 @@ func TestVulnSrc_Update(t *testing.T) {
 							"http://www.openwall.com/lists/oss-security/2018/07/11/7",
 							"https://github.com/advisories/GHSA-wgmx-52ph-qqcw",
 						},
+						LastModifiedDate: utils.MustTimeParse("2021-06-10T06:51:37.378319Z"),
+						PublishedDate:    utils.MustTimeParse("2018-07-12T12:29:00Z"),
 					},
 				},
 				{

pkg/vulnsrc/vulnerability/vulnerability.go

@@ -3,6 +3,7 @@ package vulnerability
 import (
 	"sort"
 	"strings"
+	"time"
 
 	"github.com/aquasecurity/trivy-db/pkg/db"
 	"github.com/aquasecurity/trivy-db/pkg/log"
@@ -36,7 +37,7 @@ func (Vulnerability) IsRejected(details map[types.SourceID]types.VulnerabilityDe
 	return getRejectedStatus(details)
 }
 
-func (Vulnerability) Normalize(details map[types.SourceID]types.VulnerabilityDetail) types.Vulnerability {
+func (Vulnerability) Normalize(vulnID string, details map[types.SourceID]types.VulnerabilityDetail) types.Vulnerability {
 	return types.Vulnerability{
 		Title:            getTitle(details),
 		Description:      getDescription(details),
@@ -45,8 +46,8 @@ func (Vulnerability) Normalize(details map[types.SourceID]types.VulnerabilityDet
 		VendorSeverity:   getVendorSeverity(details),
 		CVSS:             getCVSS(details),
 		References:       getReferences(details),
-		PublishedDate:    details[NVD].PublishedDate,
-		LastModifiedDate: details[NVD].LastModifiedDate,
+		PublishedDate:    getPublishedDate(vulnID, details),
+		LastModifiedDate: getLastModifiedDate(vulnID, details),
 	}
 }
 
@@ -179,6 +180,36 @@ func getReferences(details map[types.SourceID]types.VulnerabilityDetail) []strin
 	return refs
 }
 
+func getPublishedDate(vulnID string, details map[types.SourceID]types.VulnerabilityDetail) *time.Time {
+	// We should take PublishedData from
+	//  - NVD - for CVE-IDs
+	//  - GHSA - for GHSA-IDs
+	// cf. https://github.com/aquasecurity/trivy-db/issues/522
+	switch {
+	case strings.HasPrefix(vulnID, "CVE-"):
+		return details[NVD].PublishedDate
+	case strings.HasPrefix(vulnID, "GHSA-"):
+		return details[GHSA].PublishedDate
+	}
+
+	return nil
+}
+
+func getLastModifiedDate(vulnID string, details map[types.SourceID]types.VulnerabilityDetail) *time.Time {
+	// We should take LastModifiedDate from
+	//  - NVD - for CVE-IDs
+	//  - GHSA - for GHSA-IDs
+	// cf. https://github.com/aquasecurity/trivy-db/issues/522
+	switch {
+	case strings.HasPrefix(vulnID, "CVE-"):
+		return details[NVD].LastModifiedDate
+	case strings.HasPrefix(vulnID, "GHSA-"):
+		return details[GHSA].LastModifiedDate
+	}
+
+	return nil
+}
+
 func getRejectedStatus(details map[types.SourceID]types.VulnerabilityDetail) bool {
 	for _, source := range AllSourceIDs {
 		d, ok := details[source]