feat: add SeveritySource to VulnerabilityReport

api/storage/v1alpha1/vulnerabilityreport_types.go

@@ -130,6 +130,12 @@ type Vulnerability struct {
 	// Severity rating (e.g., "HIGH", "MEDIUM")
 	Severity string `json:"severity" protobuf:"bytes,10,req,name=severity"`
 
+	// SeveritySource identifies the vendor that produced the Severity
+	// (e.g. "nvd", "ghsa", "redhat", "alpine").
+	// Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity.
+	// May be empty when the source vendor is not known.
+	SeveritySource string `json:"severitySource,omitempty" protobuf:"bytes,16,opt,name=severitySource"`
+
 	// References contains URLs for more information
 	References []string `json:"references,omitempty" protobuf:"bytes,11,rep,name=references"`
 

docs/crds/CRD-docs-for-docs-repo.adoc

@@ -970,6 +970,10 @@ so we have to restore it. + |  |
 | *`diffID`* __string__ | DiffID of the image layer where the vulnerability was introduced + |  | 
 | *`description`* __string__ | Description of the vulnerability + |  | 
 | *`severity`* __string__ | Severity rating (e.g., "HIGH", "MEDIUM") + |  | 
+| *`severitySource`* __string__ | SeveritySource identifies the vendor that produced the Severity +
+(e.g. "nvd", "ghsa", "redhat", "alpine"). +
+Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity. +
+May be empty when the source vendor is not known. + |  | 
 | *`references`* __string array__ | References contains URLs for more information + |  | 
 | *`cvss`* __object (keys:string, values:xref:{anchor_prefix}-github-com-kubewarden-sbomscanner-api-storage-v1alpha1-cvss[$$CVSS$$])__ | CVSS scoring details + |  | 
 | *`cwes`* __string array__ | CWEs with which the CVE is classified + |  | 

docs/crds/CRD-docs-for-docs-repo.md

@@ -742,6 +742,7 @@ _Appears in:_
 | `diffID` _string_ | DiffID of the image layer where the vulnerability was introduced |  |  |
 | `description` _string_ | Description of the vulnerability |  |  |
 | `severity` _string_ | Severity rating (e.g., "HIGH", "MEDIUM") |  |  |
+| `severitySource` _string_ | SeveritySource identifies the vendor that produced the Severity<br />(e.g. "nvd", "ghsa", "redhat", "alpine").<br />Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity.<br />May be empty when the source vendor is not known. |  |  |
 | `references` _string array_ | References contains URLs for more information |  |  |
 | `cvss` _object (keys:string, values:[CVSS](#cvss))_ | CVSS scoring details |  |  |
 | `cwes` _string array_ | CWEs with which the CVE is classified |  |  |

internal/handlers/trivyreport/trivy.go

@@ -86,6 +86,7 @@ func newVulnerability(trivyVuln trivyTypes.DetectedVulnerability) storagev1alpha
 		DiffID:           trivyVuln.Layer.DiffID,
 		Description:      trivyVuln.Description,
 		Severity:         trivyVuln.Severity,
+		SeveritySource:   string(trivyVuln.SeveritySource),
 		References:       trivyVuln.References,
 		CVSS:             newCVSS(trivyVuln.CVSS),
 		CWEs:             trivyVuln.CweIDs,

internal/handlers/trivyreport/trivy_test.go

@@ -68,9 +68,10 @@ func TestNewResultsFromTrivyReport(t *testing.T) {
 							FixedVersions: []string{
 								"0.36.0",
 							},
-							DiffID:      "sha256:d37a3e42d123ca619ceab4bbe3c1e9a96d0a837e5e0e3052b33dbd0e842c5661",
-							Description: "Lorem ipsum",
-							Severity:    storagev1alpha1.SeverityMedium,
+							DiffID:         "sha256:d37a3e42d123ca619ceab4bbe3c1e9a96d0a837e5e0e3052b33dbd0e842c5661",
+							Description:    "Lorem ipsum",
+							Severity:       storagev1alpha1.SeverityMedium,
+							SeveritySource: "ghsa",
 							References: []string{
 								"http://www.openwall.com/lists/oss-security/2025/03/07/2",
 								"https://access.redhat.com/security/cve/CVE-2025-22870",

test/crd/storage.sbomscanner.kubewarden.io_vulnerabilityreports.yaml

@@ -163,6 +163,13 @@ spec:
                           severity:
                             description: Severity rating (e.g., "HIGH", "MEDIUM")
                             type: string
+                          severitySource:
+                            description: |-
+                              SeveritySource identifies the vendor that produced the Severity
+                              (e.g. "nvd", "ghsa", "redhat", "alpine").
+                              Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity.
+                              May be empty when the source vendor is not known.
+                            type: string
                           suppressed:
                             description: |-
                               Suppressed identify when vulnerability has

test/crd/storage.sbomscanner.kubewarden.io_workloadscanreports.yaml

@@ -189,6 +189,13 @@ spec:
                                         description: Severity rating (e.g., "HIGH",
                                           "MEDIUM")
                                         type: string
+                                      severitySource:
+                                        description: |-
+                                          SeveritySource identifies the vendor that produced the Severity
+                                          (e.g. "nvd", "ghsa", "redhat", "alpine").
+                                          Consumers can use this key to look up the matching entry in the CVSS map to display alongside Severity.
+                                          May be empty when the source vendor is not known.
+                                        type: string
                                       suppressed:
                                         description: |-
                                           Suppressed identify when vulnerability has