refactor: add AllSourceIDs (#485)

Co-authored-by: Teppei Fukuda <[email protected]>
aquasecurity · Jan 24, 2025 · 8089e20 · 8089e20
1 parent 388c617
commit 8089e20
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 15 deletions.
diff --git a/pkg/vulnsrc/vulnerability/const.go b/pkg/vulnsrc/vulnerability/const.go
@@ -1,6 +1,8 @@
 package vulnerability
 
-import "github.com/aquasecurity/trivy-db/pkg/types"
+import (
+	"github.com/aquasecurity/trivy-db/pkg/types"
+)
 
 const (
 	// Data source
@@ -70,3 +72,38 @@ var Ecosystems = []types.Ecosystem{
 	Bitnami,
 	Kubernetes,
 }
+
+// AllSourceIDs lists all supported vulnerability source IDs in order of precedence.
+// When searching for vulnerability details (Severity, Title, Description, and CWE-IDs),
+// the sources are checked in this order until valid data is found.
+// For example, if severity data is missing in NVD, it will check Red Hat next,
+// continuing through the list until it finds a valid severity value.
+var AllSourceIDs = []types.SourceID{
+	NVD,
+	RedHat,
+	RedHatOVAL,
+	Debian,
+	Ubuntu,
+	Alpine,
+	Amazon,
+	OracleOVAL,
+	SuseCVRF,
+	Photon,
+	ArchLinux,
+	Alma,
+	Rocky,
+	CBLMariner,
+	AzureLinux,
+	RubySec,
+	PhpSecurityAdvisories,
+	NodejsSecurityWg,
+	GHSA,
+	GLAD,
+	Aqua,
+	OSV,
+	K8sVulnDB,
+	Wolfi,
+	Chainguard,
+	BitnamiVulndb,
+	GoVulnDB,
+}
diff --git a/pkg/vulnsrc/vulnerability/vulnerability.go b/pkg/vulnsrc/vulnerability/vulnerability.go
@@ -13,14 +13,6 @@ const (
 	rejectVulnerability = "** REJECT **"
 )
 
-var (
-	sources = []types.SourceID{
-		NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
-		ArchLinux, Alma, Rocky, CBLMariner, AzureLinux, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD,
-		Aqua, OSV, K8sVulnDB,
-	}
-)
-
 type Vulnerability struct {
 	dbc db.Operation
 }
@@ -98,7 +90,7 @@ func getVendorSeverity(details map[types.SourceID]types.VulnerabilityDetail) typ
 }
 
 func getSeverity(details map[types.SourceID]types.VulnerabilityDetail) types.Severity {
-	for _, source := range sources {
+	for _, source := range AllSourceIDs {
 		switch d, ok := details[source]; {
 		case !ok:
 			continue
@@ -120,7 +112,7 @@ func getSeverity(details map[types.SourceID]types.VulnerabilityDetail) types.Sev
 }
 
 func getTitle(details map[types.SourceID]types.VulnerabilityDetail) string {
-	for _, source := range sources {
+	for _, source := range AllSourceIDs {
 		d, ok := details[source]
 		if !ok {
 			continue
@@ -133,7 +125,7 @@ func getTitle(details map[types.SourceID]types.VulnerabilityDetail) string {
 }
 
 func getDescription(details map[types.SourceID]types.VulnerabilityDetail) string {
-	for _, source := range sources {
+	for _, source := range AllSourceIDs {
 		d, ok := details[source]
 		if !ok {
 			continue
@@ -146,7 +138,7 @@ func getDescription(details map[types.SourceID]types.VulnerabilityDetail) string
 }
 
 func getCweIDs(details map[types.SourceID]types.VulnerabilityDetail) []string {
-	for _, source := range sources {
+	for _, source := range AllSourceIDs {
 		d, ok := details[source]
 		if !ok {
 			continue
@@ -160,7 +152,7 @@ func getCweIDs(details map[types.SourceID]types.VulnerabilityDetail) []string {
 
 func getReferences(details map[types.SourceID]types.VulnerabilityDetail) []string {
 	references := map[string]struct{}{}
-	for _, source := range sources {
+	for _, source := range AllSourceIDs {
 		// Amazon contains unrelated references
 		if source == Amazon {
 			continue
@@ -188,7 +180,7 @@ func getReferences(details map[types.SourceID]types.VulnerabilityDetail) []strin
 }
 
 func getRejectedStatus(details map[types.SourceID]types.VulnerabilityDetail) bool {
-	for _, source := range sources {
+	for _, source := range AllSourceIDs {
 		d, ok := details[source]
 		if !ok {
 			continue