Use CVE>Impact as severity when it is not empty (RedHat OVAL)

2017-08-13 22:17:25 +09:00
parent dbceca8780
commit 47a444e795
2 changed files with 7 additions and 2 deletions
--- a/Gopkg.lock
+++ b/Gopkg.lock
@@ -149,7 +149,7 @@
  branch = "master"
  name = "github.com/kotakanbe/goval-dictionary"
  packages = ["config","db","db/rdb","log","models"]
-  revision = "597ee7aff9dcf36eb8c254d8b1ba8704ade521a6"
+  revision = "aa1dbe07a21bd51943893086d37e9e57c6020ce0"

 [[projects]]
  branch = "master"
--- a/oval/redhat.go
+++ b/oval/redhat.go
@@ -124,12 +124,17 @@ func (o RedHatBase) convertToModel(cveID string, def *ovalmodels.Definition) *mo
 		score2, vec2 := o.parseCvss2(cve.Cvss2)
 		score3, vec3 := o.parseCvss3(cve.Cvss3)

+		severity := def.Advisory.Severity
+		if cve.Impact != "" {
+			severity = cve.Impact
+		}
+
 		return &models.CveContent{
 			Type:         models.NewCveContentType(o.family),
 			CveID:        cve.CveID,
 			Title:        def.Title,
 			Summary:      def.Description,
-			Severity:     def.Advisory.Severity,
+			Severity:     severity,
 			Cvss2Score:   score2,
 			Cvss2Vector:  vec2,
 			Cvss3Score:   score3,