Summary
Runs both Grype and OSV-Scanner against the SBOM from Stage 1, deduplicates findings across tools, and writes one Finding row per unique (component, CVE) pair.
How it works
- Loads all
Component rows for the snapshot; builds PURL-keyed map (for Grype) and (ecosystem, name, version)-keyed map (for OSV, which omits PURLs).
- Runs
grype sbom:<path> -o json — exit codes 0 and 1 are both success (exit 1 = vulnerabilities found).
- Runs
osv-scanner scan --sbom <path> --format json — same convention.
- If both tools fail, raises
CVEMatchingError. If only one fails, logs a warning and continues.
- Deduplicates by
(component_id, cve_id): same CVE from both tools -> one row with source="grype+osv".
- Grype data is preferred when merging: provides CVSS v3 vector, fix version, and structured severity.
- Sets
SBOMSnapshot.status = "CVE_DONE".
Key detail
NEGLIGIBLE severity is distinct from INFO: INFO = no rating exists at all; NEGLIGIBLE = explicitly rated near-zero impact (CVSS 0.0). This distinction matters for automotive risk scoring.
Tests (26 passing)
Grype-only findings, OSV name-based lookup (Maven groupId:artifactId split), deduplication, CVSS v3.1 preferred over v2, fix version handling, severity/score helpers, all error paths.
Summary
Runs both Grype and OSV-Scanner against the SBOM from Stage 1, deduplicates findings across tools, and writes one
Findingrow per unique(component, CVE)pair.How it works
Componentrows for the snapshot; builds PURL-keyed map (for Grype) and(ecosystem, name, version)-keyed map (for OSV, which omits PURLs).grype sbom:<path> -o json— exit codes 0 and 1 are both success (exit 1 = vulnerabilities found).osv-scanner scan --sbom <path> --format json— same convention.CVEMatchingError. If only one fails, logs a warning and continues.(component_id, cve_id): same CVE from both tools -> one row withsource="grype+osv".SBOMSnapshot.status = "CVE_DONE".Key detail
NEGLIGIBLEseverity is distinct fromINFO:INFO= no rating exists at all;NEGLIGIBLE= explicitly rated near-zero impact (CVSS 0.0). This distinction matters for automotive risk scoring.Tests (26 passing)
Grype-only findings, OSV name-based lookup (Maven groupId:artifactId split), deduplication, CVSS v3.1 preferred over v2, fix version handling, severity/score helpers, all error paths.