Support for OWASP Risk Ratings in VEX documents

[fahedouch]

Description

Hey everyone,

I'd like to propose adding support for OWASP Risk Ratings from CycloneDX VEX documents.

Why?

The CycloneDX spec now recommends that tools consider ratings when prioritizing vulnerabilities (spec PR #722):

"Consumers SHOULD consider ratings in prioritization decisions"

CVSS scores are generic. The same CVE has different risk levels depending on your context (network exposure, data sensitivity, etc.). VEX documents can include these context-aware ratings, but Grype currently ignores them.

What changes?

Add an optional OWASPRating field so Grype can display context-aware risk assessments from VEX documents when available. Fully backward compatible.

Example

json { "VulnerabilityID": "CVE-2011-3374", "Severity": "LOW", "OWASPRating": { "severity": "medium", "score": 27.5 } }

Now you see both the generic CVSS severity and your specific risk assessment.

Use case

Tools like vens generate these ratings. This lets Grype users prioritize based on actual risk, not just CVSS scores.

Thoughts?

[wagoodman]

This has connectivity to #1378 which is all about having a configurable way to convey severity preferences --which I feel goes beyond pure severity since we do allow for a risk ranking to sort output. This issue builds on it by asking for reading additional input sources to display and sort/rank output.

[fahedouch]

Thanks @wagoodman for connecting this to #1378. After reading through that thread, I think we could approach this in two steps:

Step 1: Add contextual risk as a new field

Instead of touching the existing severity logic, just add OWASP ratings as optional data:

type Vulnerability struct {
    // ... existing fields
    Risk            float64             `json:"risk"`
    ContextualRisk  *ContextualRiskData `json:"contextualRisk,omitempty"`
}

type ContextualRiskData struct {
    Score    float64 `json:"score"`
    Severity string  `json:"severity"`
    Vector   string  `json:"vector"`
    Source   string  `json:"source"`
}

This way it's completely backward compatible and doesn't affect how Grype currently works. Users get both the standard risk score and the contextual one when available.
Example output:

{
  "vulnerability": {
    "id": "CVE-2011-3374",
    "severity": "LOW",
    "risk": 15.5,
    "contextualRisk": {
      "score": 27.5,
      "severity": "MEDIUM",
      "vector": "OWASP:2023/SL:5/M:5/O:5/S:1/ED:1/EE:1/A:1/ID:1/LC:1/LI:1/LAV:1/LAC:1/FD:1/RD:1/NC:1/PV:1",
      "source": "vex"
    }
  }
}

Step 2: Tackle severity preferences later

Once step 1 is done, we can focus on the severity preferences work in #1378 - choosing which severity source to use, displaying multiple sources, etc. That's a much larger change and this gives us something concrete to work with first.

Let me know if this approach makes sense and I can get started.