Handle OSV database specific severity better

Prabhu Subramanian · Prabhu Subramanian · commit a45fc845257b · 2022-06-14T14:16:51.000+01:00
diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setuptools.setup(
     name="appthreat-vulnerability-db",
-    version="2.0.2",
+    version="2.0.3",
     author="Team AppThreat",
     author_email="cloud@appthreat.com",
     description="AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities.",
diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py
@@ -116,8 +116,15 @@ def to_vuln(self, cve_data):
             assigner = "cve@mitre.org"
         elif cve_id.startswith("NPM"):
             assigner = "@npm"
+        severity = "LOW"
+        # Issue 58
+        cve_database_specific = cve_data.get("database_specific")
+        cve_ecosystem_specific = cve_data.get("ecosystem_specific")
+        if cve_database_specific and cve_database_specific.get("severity"):
+            severity = cve_database_specific.get("severity")
+        if cve_ecosystem_specific and cve_ecosystem_specific.get("severity"):
+            severity = cve_ecosystem_specific.get("severity")
         for pkg_data in cve_data.get("affected"):
-            severity = "LOW"
             if pkg_data.get("ecosystem_specific"):
                 ecosystem_specific = pkg_data.get("ecosystem_specific")
                 if ecosystem_specific.get("severity"):
@@ -126,7 +133,7 @@ def to_vuln(self, cve_data):
                 database_specific = pkg_data.get("database_specific")
                 if database_specific.get("cwes"):
                     cwes = database_specific.get("cwes")
-                    if cwes:
+                    if isinstance(cwes, list):
                         cwe_id = cwes[0].get("cweId")
                 if database_specific.get("cvss"):
                     cvss = database_specific.get("cvss")
