Skip to content

[Phase 1] Stage 2: CVE matching (Grype + OSV-Scanner deduplication) #4

Description

@varun-polpakkara

Summary

Runs both Grype and OSV-Scanner against the SBOM from Stage 1, deduplicates findings across tools, and writes one Finding row per unique (component, CVE) pair.

How it works

  1. Loads all Component rows for the snapshot; builds PURL-keyed map (for Grype) and (ecosystem, name, version)-keyed map (for OSV, which omits PURLs).
  2. Runs grype sbom:<path> -o json — exit codes 0 and 1 are both success (exit 1 = vulnerabilities found).
  3. Runs osv-scanner scan --sbom <path> --format json — same convention.
  4. If both tools fail, raises CVEMatchingError. If only one fails, logs a warning and continues.
  5. Deduplicates by (component_id, cve_id): same CVE from both tools -> one row with source="grype+osv".
  6. Grype data is preferred when merging: provides CVSS v3 vector, fix version, and structured severity.
  7. Sets SBOMSnapshot.status = "CVE_DONE".

Key detail

NEGLIGIBLE severity is distinct from INFO: INFO = no rating exists at all; NEGLIGIBLE = explicitly rated near-zero impact (CVSS 0.0). This distinction matters for automotive risk scoring.

Tests (26 passing)

Grype-only findings, OSV name-based lookup (Maven groupId:artifactId split), deduplication, CVSS v3.1 preferred over v2, fix version handling, severity/score helpers, all error paths.

Metadata

Metadata

Labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions