From 4db568778ec760ddaf0b10e3e8b75fcde82d2618 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adolfo=20Garc=C3=ADa=20Veytia=20=28Puerco=29?=
 <adolfo.garcia@uservers.net>
Date: Mon, 22 Feb 2021 18:47:15 -0600
Subject: [PATCH] Add link to CVE calculator on release notes CVE data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Adolfo García Veytia (Puerco) <adolfo.garcia@uservers.net>
---
 pkg/notes/document/template.go |  2 +-
 pkg/notes/notes.go             | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/pkg/notes/document/template.go b/pkg/notes/document/template.go
index cf984f2e0944..477cd7090999 100644
--- a/pkg/notes/document/template.go
+++ b/pkg/notes/document/template.go
@@ -72,7 +72,7 @@ This release contains changes that address the following vulnerabilities:
 
 {{.Description}}
 
-**CVSS Rating:** {{.CVSSRating}} ({{.CVSSScore}}) {{.CVSSVector}}<br>
+**CVSS Rating:** {{.CVSSRating}} ({{.CVSSScore}}) [{{.CVSSVector}}]({{.CalcLink}})<br>
 **Tracking Issue:** {{.TrackingIssue}}
 
 {{ end }}
diff --git a/pkg/notes/notes.go b/pkg/notes/notes.go
index 2fd9ea085039..123f6fa644a7 100644
--- a/pkg/notes/notes.go
+++ b/pkg/notes/notes.go
@@ -67,7 +67,8 @@ type CVEData struct {
 	CVSSVector    string  `json:"vector"`      // Full CVSS vector string, CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H
 	CVSSScore     float32 `json:"score"`       // Numeric CVSS score (eg 6.2)
 	CVSSRating    string  `json:"rating"`      // Severity bucket (eg Medium)
-	LinkedPRs     []int   `json:"linkedPRs"`   // List of linked PRs (to remove them from the release notes doc)
+	CalcLink      string  // Link to the CVE calculator (automatic)
+	LinkedPRs     []int   `json:"linkedPRs"` // List of linked PRs (to remove them from the release notes doc)
 }
 
 const (
@@ -1122,5 +1123,14 @@ func (cve *CVEData) Validate() error {
 		return errors.New("CVE description missing from CVE data")
 	}
 
+	// Since we're checking the vector string with a regex, use the effort to
+	// add a link to the CVE calculator
+	re := regexp.MustCompile(`^CVSS:(\d+\.\d+)/`)
+	cvssVer := re.FindStringSubmatch(cve.CVSSVector)
+	if len(cvssVer) == 0 {
+		return errors.New("CVSS vector in not properly formed: version missing")
+	}
+	cve.CalcLink = fmt.Sprintf("https://www.first.org/cvss/calculator/%s#%s", cvssVer[1], cve.CVSSVector)
+
 	return nil
 }