feat(cve): add reference url for cve

pkg/extensions/search/cve/model/models.go

@@ -17,6 +17,7 @@ type CVE struct {
 	Description string    `json:"Description"`
 	Severity    string    `json:"Severity"`
 	Title       string    `json:"Title"`
+	Reference   string    `json:"Reference"`
 	PackageList []Package `json:"PackageList"`
 }
 

pkg/extensions/search/cve/trivy/scanner.go

@@ -5,6 +5,7 @@
 	"fmt"
 	"os"
 	"path"
+	"strings"
 	"sync"
 
 	"github.com/aquasecurity/trivy-db/pkg/metadata"
@@ -427,6 +428,7 @@
 					ID:          vulnerability.VulnerabilityID,
 					Title:       vulnerability.Title,
 					Description: vulnerability.Description,
+					Reference:   getCVEReference(vulnerability.PrimaryURL, vulnerability.References),
 					Severity:    convertSeverity(vulnerability.Severity),
 					PackageList: newPkgList,
 				}
@@ -439,6 +441,34 @@
 	return cveidMap, nil
 }
 
+func getCVEReference(primaryURL string, references []string) string {
+	if primaryURL != "" {
+		return primaryURL
+	}
+
+	if len(references) > 0 {
+		nvdReference, found := getNVDReference(references)
+
+		if found {
+			return nvdReference
+		}
+
+		return references[0]
+	}
+
+	return ""
+}
+
+func getNVDReference(references []string) (string, bool) {
+	for i := range references {
+		if strings.Contains(references[i], "nvd.nist.gov") {
+			return references[i], true
+		}
+	}
+
+	return "", false
+}
+
 func (scanner Scanner) scanIndex(ctx context.Context, repo, digest string) (map[string]cvemodel.CVE, error) {
 	if cachedMap := scanner.cache.Get(digest); cachedMap != nil {
 		return cachedMap, nil

pkg/extensions/search/cve/trivy/scanner_internal_test.go

@@ -488,3 +488,19 @@ func TestIsIndexScannableErrors(t *testing.T) {
 		})
 	})
 }
+
+func TestGetCVEReference(t *testing.T) {
+	Convey("getCVEReference", t, func() {
+		ref := getCVEReference("primary", []string{})
+		So(ref, ShouldResemble, "primary")
+
+		ref = getCVEReference("", []string{"secondary"})
+		So(ref, ShouldResemble, "secondary")
+
+		ref = getCVEReference("", []string{""})
+		So(ref, ShouldResemble, "")
+
+		ref = getCVEReference("", []string{"https://nvd.nist.gov/vuln/detail/CVE-2023-2650"})
+		So(ref, ShouldResemble, "https://nvd.nist.gov/vuln/detail/CVE-2023-2650")
+	})
+}

pkg/extensions/search/resolver.go

@@ -228,6 +228,7 @@ func getCVEListForImage(
 		desc := cveDetail.Description
 		title := cveDetail.Title
 		severity := cveDetail.Severity
+		referenceURL := cveDetail.Reference
 
 		pkgList := make([]*gql_generated.PackageInfo, 0)
 
@@ -249,6 +250,7 @@ func getCVEListForImage(
 				Title:       &title,
 				Description: &desc,
 				Severity:    &severity,
+				Reference:   &referenceURL,
 				PackageList: pkgList,
 			},
 		)

pkg/extensions/search/schema.graphql

@@ -46,6 +46,10 @@ type CVE {
     """
     Description: String
     """
+    Reference for the given CVE
+    """
+    Reference: String
+    """
     The impact the CVE has, one of "UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL"
     """
     Severity: String