Add "Status" field to Vulnerability in the scan report

This commit is part of fix of the issue in Harbor:
goharbor/harbor#21445
It addes the "Status" field into vulnerabilities of a scan report,
so that this information can be passed to "harbor-core"

Signed-off-by: Daniel Jiang <daniel.jiang@broadcom.com>

Author: reasonerjt

pkg/harbor/model.go

@@ -154,6 +154,7 @@ type VulnerabilityItem struct {
 	ID               string         `json:"id"`
 	Pkg              string         `json:"package"`
 	Version          string         `json:"version"`
+	Status           string         `json:"status,omitempty"`
 	FixVersion       string         `json:"fix_version,omitempty"`
 	Severity         Severity       `json:"severity"`
 	Description      string         `json:"description"`

pkg/scan/transformer.go

@@ -70,6 +70,7 @@ func (t *transformer) transformVulnerabilities(source []trivy.Vulnerability) []h
 			ID:               v.VulnerabilityID,
 			Pkg:              v.PkgName,
 			Version:          v.InstalledVersion,
+			Status:           v.Status,
 			FixVersion:       v.FixedVersion,
 			Severity:         t.toHarborSeverity(v.Severity),
 			Description:      v.Description,

pkg/scan/transformer_test.go

@@ -45,6 +45,7 @@ func TestTransformer_Transform(t *testing.T) {
 					PkgName:          "PKG-01",
 					InstalledVersion: "PKG-01-VER",
 					FixedVersion:     "PKG-01-FIX-VER",
+					Status:           "fixed",
 					Severity:         "CRITICAL",
 					Description:      "CVE-0000-0001.DESC",
 					References: []string{
@@ -72,6 +73,7 @@ func TestTransformer_Transform(t *testing.T) {
 					PkgName:          "PKG-02",
 					InstalledVersion: "PKG-02-VER",
 					FixedVersion:     "",
+					Status:           "won't fix",
 					Severity:         "HIGH",
 					Description:      "CVE-0000-0002.DESC",
 					References: []string{
@@ -85,6 +87,7 @@ func TestTransformer_Transform(t *testing.T) {
 					VulnerabilityID:  "CVE-0000-0003",
 					PkgName:          "PKG-03",
 					InstalledVersion: "PKG-03-VER",
+					Status:           "fixed",
 					FixedVersion:     "PKG-03-FIX-VER",
 					Severity:         "MEDIUM",
 					Description:      "CVE-0000-0003.DESC",
@@ -101,6 +104,7 @@ func TestTransformer_Transform(t *testing.T) {
 					PkgName:          "PKG-04",
 					InstalledVersion: "PKG-04-VER",
 					FixedVersion:     "PKG-04-FIX-VER",
+					Status:           "fixed",
 					Severity:         "LOW",
 					Description:      "CVE-0000-0004.DESC",
 					References: []string{
@@ -144,6 +148,7 @@ func TestTransformer_Transform(t *testing.T) {
 				ID:          "CVE-0000-0001",
 				Pkg:         "PKG-01",
 				Version:     "PKG-01-VER",
+				Status:      "fixed",
 				FixVersion:  "PKG-01-FIX-VER",
 				Severity:    harbor.SevCritical,
 				Description: "CVE-0000-0001.DESC",
@@ -173,6 +178,7 @@ func TestTransformer_Transform(t *testing.T) {
 				ID:          "CVE-0000-0002",
 				Pkg:         "PKG-02",
 				Version:     "PKG-02-VER",
+				Status:      "won't fix",
 				FixVersion:  "",
 				Severity:    harbor.SevHigh,
 				Description: "CVE-0000-0002.DESC",
@@ -188,6 +194,7 @@ func TestTransformer_Transform(t *testing.T) {
 				ID:          "CVE-0000-0003",
 				Pkg:         "PKG-03",
 				Version:     "PKG-03-VER",
+				Status:      "fixed",
 				FixVersion:  "PKG-03-FIX-VER",
 				Severity:    harbor.SevMedium,
 				Description: "CVE-0000-0003.DESC",
@@ -203,6 +210,7 @@ func TestTransformer_Transform(t *testing.T) {
 				ID:          "CVE-0000-0004",
 				Pkg:         "PKG-04",
 				Version:     "PKG-04-VER",
+				Status:      "fixed",
 				FixVersion:  "PKG-04-FIX-VER",
 				Severity:    harbor.SevLow,
 				Description: "CVE-0000-0004.DESC",

pkg/trivy/model.go

@@ -48,6 +48,7 @@ type Vulnerability struct {
 	VulnerabilityID  string              `json:"VulnerabilityID"`
 	PkgName          string              `json:"PkgName"`
 	InstalledVersion string              `json:"InstalledVersion"`
+	Status           string              `json:"Status"`
 	FixedVersion     string              `json:"FixedVersion"`
 	Title            string              `json:"Title"`
 	Description      string              `json:"Description"`

test/integration/api/rest_api_test.go

@@ -146,6 +146,7 @@ func TestRestAPI(t *testing.T) {
 						Pkg:         "musl",
 						Version:     "1.1.22-r4",
 						FixVersion:  "1.1.22-r5",
+						Status:      "fixed",
 						Severity:    harbor.SevMedium,
 						Description: "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",
 						Links: []string{
@@ -161,6 +162,7 @@ func TestRestAPI(t *testing.T) {
 						Pkg:         "musl-utils",
 						Version:     "1.1.22-r4",
 						FixVersion:  "1.1.22-r5",
+						Status:      "fixed",
 						Severity:    harbor.SevMedium,
 						Description: "In musl libc through 1.2.1, wcsnrtombs mishandles particular combinations of destination buffer size and source character limit, as demonstrated by an invalid write access (buffer overflow).",
 						Links: []string{
@@ -335,6 +337,7 @@ func TestRestAPI(t *testing.T) {
 						Pkg:         "libssl1.1",
 						Version:     "1.1.1c-r0",
 						FixVersion:  "1.1.1d-r0",
+						Status:      "fixed",
 						Severity:    harbor.SevMedium,
 						Description: "OpenSSL 1.1.1 introduced a rewritten random number generator (RNG). This was intended to include protection in the event of a fork() system call in order to ensure that the parent and child processes did not share the same RNG state. However this protection was not being used in the default case. A partial mitigation for this issue is that the output from a high precision timer is mixed into the RNG state so the likelihood of a parent and child process sharing state is significantly reduced. If an application already calls OPENSSL_init_crypto() explicitly using OPENSSL_INIT_ATFORK then this problem does not occur at all. Fixed in OpenSSL 1.1.1d (Affected 1.1.1-1.1.1c).",
 						Links: []string{