Extend vulnerability severity providers (#98)

* Add severity providers: GHSA, GitLab

* Add severity providers: GHSA, GitLab

* Add REDHAT_CVE and UBUNTU_CVE providers

* rename GHSA to GITHUB

---------

Co-authored-by: Michael Long <[email protected]>

Author: bluesentinelsec

entrypoint/entrypoint/pkg_vuln.py

@@ -15,10 +15,32 @@
 class CvssSourceProvider:
     NVD = "NVD"
     MITRE = "MITRE"
+    GITHUB = "GITHUB"
+    GITLAB = "GITLAB"
+    REDHAT_CVE = "REDHAT_CVE"
+    UBUNTU_CVE = "UBUNTU_CVE"
     AMAZON_INSPECTOR = "AMAZON_INSPECTOR"
-
     DEFAULT_PROVIDER = NVD
 
+def get_rating_providers():
+    """
+    get_rating_providers returns a list of vulnerability
+    severity providers. The action uses this information
+    to determine which vuln severity to render when
+    multiple severity values are present from different
+    vendors. See the function definition to view the
+    order in which severity providers are preferred.
+    """
+
+    # NVD is most preferred, followed by everything
+    # else in the order listed.
+    providers = [CvssSourceProvider.NVD,
+                 CvssSourceProvider.MITRE,
+                 CvssSourceProvider.GITHUB,
+                 CvssSourceProvider.GITLAB,
+                 CvssSourceProvider.AMAZON_INSPECTOR
+                 ]
+    return providers
 
 class CvssSeverity:
     UNTRIAGED = "untriaged"
@@ -255,7 +277,7 @@ def get_cwes(v) -> str:
 
 
 def get_cvss_rating(ratings, vulnerability) -> CvssRating:
-    rating_provider_priority = [CvssSourceProvider.NVD, CvssSourceProvider.MITRE, CvssSourceProvider.AMAZON_INSPECTOR]
+    rating_provider_priority = get_rating_providers()
     for provider in rating_provider_priority:
         for rating in ratings:
             if rating["source"]["name"] != provider: