greenbone · timopollmeier · Oct 14, 2020 · Jan 26, 2020 · Jan 26, 2020 · Jan 26, 2020
diff --git a/src/manage_pg.c b/src/manage_pg.c
@@ -2499,6 +2499,15 @@ create_tables ()
        "  ref_id text NOT NULL,"
        "  ref_text text);");
 
+  sql ("CREATE TABLE IF NOT EXISTS vt_severities"
+       " (id SERIAL PRIMARY KEY,"
+       "  vt_oid text NOT NULL,"
+       "  type text NOT NULL,"
+       "  origin text,"
+       "  date integer,"
+       "  score integer,"
+       "  value text);");
+
   sql ("CREATE TABLE IF NOT EXISTS nvt_preferences"
        " (id SERIAL PRIMARY KEY,"
        "  name text UNIQUE NOT NULL,"
@@ -2810,6 +2819,8 @@ create_tables ()
   sql ("SELECT create_index ('vt_refs_by_vt_oid',"
        "                     'vt_refs', 'vt_oid');");
 
+  sql ("SELECT create_index ('vt_severities_by_vt_oid',"
+       "                     'vt_severities', 'vt_oid');");
 
 #if 0
   /* TODO The value column can be bigger than 8191, the maximum size that

diff --git a/src/manage_sql.c b/src/manage_sql.c
@@ -21277,12 +21277,6 @@ where_qod (int min_qod)
   return qod_sql;
 }
 
-/**
- * @brief SQL for retrieving CVSS base.
- */
-#define CVSS_BASE_SQL                                            \
-  "(SELECT cvss_base FROM nvts WHERE nvts.oid = results.nvt)"
-
 /**
  * @brief Filter columns for result iterator.
  */

diff --git a/src/manage_sql_nvts.c b/src/manage_sql_nvts.c
@@ -1,4 +1,4 @@
-/* Copyright (C) 2009-2019 Greenbone Networks GmbH
+/* Copyright (C) 2009-2020 Greenbone Networks GmbH
  *
  * SPDX-License-Identifier: AGPL-3.0-or-later
  *
@@ -341,6 +341,29 @@ insert_nvt (const nvti_t *nvti)
       g_free (quoted_text);
     }
 
+  sql ("DELETE FROM vt_severities where vt_oid = '%s';", nvti_oid (nvti));
+
+  for (i = 0; i < nvti_vtseverities_len (nvti); i++)
+    {
+      vtseverity_t *severity;
+      gchar *quoted_origin, *quoted_value;
+
+      severity = nvti_vtseverity (nvti, i);
+      quoted_origin = sql_quote (vtseverity_origin (severity) ?
+                                 vtseverity_origin (severity) : "");
+      quoted_value = sql_quote (vtseverity_value (severity) ?
+                                 vtseverity_value (severity) : "");
+
+      sql ("INSERT into vt_severities (vt_oid, type, origin, date, score, value)"
+           " VALUES ('%s', '%s', '%s', %i, %i, '%s');",
+           nvti_oid (nvti), vtseverity_type (severity),
+           quoted_origin, vtseverity_date (severity),
+           vtseverity_score (severity), quoted_value);
+
+      g_free (quoted_origin);
+      g_free (quoted_value);
+    }
+
   g_free (quoted_name);
   g_free (quoted_summary);
   g_free (quoted_insight);
@@ -1207,7 +1230,7 @@ nvti_from_vt (entity_t vt)
   entity_t name, summary, insight, affected, impact, detection, solution;
   entity_t creation_time, modification_time;
   entity_t refs, ref, custom, family, category;
-  entity_t severities;
+  entity_t severities, severity;
 
   entities_t children;
 
@@ -1287,6 +1310,66 @@ nvti_from_vt (entity_t vt)
         nvti_set_solution_method (nvti, method);
     }
 
+  severities = entity_child (vt, "severities");
+  if (severities == NULL)
+    {
+      g_warning ("%s: VT missing SEVERITIES", __func__);
+      nvti_free (nvti);
+      return NULL;
+    }
+
+  children = severities->entities;
+  while ((severity = first_entity (children)))
+    {
+      const gchar *severity_type;
+
+      severity_type = entity_attribute (severity, "type");
+
+      if (severity_type == NULL)
+        {
+          GString *debug = g_string_new ("");
+          g_warning ("%s: SEVERITY missing type attribute", __func__);
+          print_entity_to_string (severity, debug);
+          g_warning ("%s: severity: %s", __func__, debug->str);
+          g_string_free (debug, TRUE);
+        }
+      else
+        {
+          entity_t value;
+
+          value = entity_child (severity, "value");
+
+          if (!value)
+            {
+              GString *debug = g_string_new ("");
+              g_warning ("%s: SEVERITY missing value element", __func__);
+              print_entity_to_string (severity, debug);
+              g_warning ("%s: severity: %s", __func__, debug->str);
+              g_string_free (debug, TRUE);
+            }
+          else
+            {
+              gchar * cvss_base;
+
+              nvti_add_vtseverity (nvti,
+                vtseverity_new (severity_type,
+                                NULL /* origin */,
+                                nvti_modification_time (nvti),
+                                get_cvss_score_from_base_metrics (entity_text (value)) * 10,
+                                entity_text (value)));
+
+              nvti_add_tag (nvti, "cvss_base_vector", entity_text (value));
+
+              cvss_base = g_strdup_printf ("%.1f",
+                get_cvss_score_from_base_metrics (entity_text (value)));
+              nvti_set_cvss_base (nvti, cvss_base);
+              g_free (cvss_base);
+            }
+        }
+
+      children = next_entities (children);
+    }
+
   refs = entity_child (vt, "refs");
   if (refs)
     {
@@ -1327,33 +1410,6 @@ nvti_from_vt (entity_t vt)
         }
     }
 
-  severities = entity_child (vt, "severities");
-  if (severities)
-    {
-      entity_t severity;
-
-      severity = entity_child (severities, "severity");
-      if (severity
-          && entity_attribute (severity, "type")
-          && (strcmp (entity_attribute (severity, "type"),
-                      "cvss_base_v2")
-              == 0))
-        {
-          gchar * cvss_base;
-
-          nvti_add_tag (nvti, "cvss_base_vector", entity_text (severity));
-
-          cvss_base = g_strdup_printf ("%.1f",
-            get_cvss_score_from_base_metrics (entity_text (severity)));
-          nvti_set_cvss_base (nvti, cvss_base);
-          g_free (cvss_base);
-        }
-      else
-        g_warning ("%s: no severity", __func__);
-    }
-  else
-    g_warning ("%s: no severities", __func__);
-
   custom = entity_child (vt, "custom");
   if (custom == NULL)
     {