feat: support ubutnu severity type

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/jedib0t/go-pretty/v6 v6.6.7
 	github.com/muesli/reflow v0.3.0
 	github.com/opencontainers/go-digest v1.0.0
-	github.com/ossf/osv-schema/bindings/go v0.0.0-20250701001340-180f03cc6901
+	github.com/ossf/osv-schema/bindings/go v0.0.0-20250715064423-7310c9ec4b2a
 	github.com/owenrumney/go-sarif/v3 v3.2.1
 	github.com/package-url/packageurl-go v0.1.3
 	github.com/pandatix/go-cvss v0.6.2

go.sum

@@ -306,8 +306,8 @@ github.com/opencontainers/runtime-spec v1.2.1 h1:S4k4ryNgEpxW1dzyqffOmhI1BHYcjzU
 github.com/opencontainers/runtime-spec v1.2.1/go.mod h1:jwyrGlmzljRJv/Fgzds9SsS/C5hL+LL3ko9hs6T5lQ0=
 github.com/opencontainers/selinux v1.12.0 h1:6n5JV4Cf+4y0KNXW48TLj5DwfXpvWlxXplUkdTrmPb8=
 github.com/opencontainers/selinux v1.12.0/go.mod h1:BTPX+bjVbWGXw7ZZWUbdENt8w0htPSrlgOOysQaU62U=
-github.com/ossf/osv-schema/bindings/go v0.0.0-20250701001340-180f03cc6901 h1:WqiL5LXnCYjEgibZc+M8+jamka8gi1ySjNiuqFWWKEE=
-github.com/ossf/osv-schema/bindings/go v0.0.0-20250701001340-180f03cc6901/go.mod h1:lILztSxHU7VsdlYqCnwgxSDBhbXMf7iEQWtldJCDXPo=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20250715064423-7310c9ec4b2a h1:eff71rMluaulxKV/PaG70M0DWvw79AuEXa4K8mHJkuk=
+github.com/ossf/osv-schema/bindings/go v0.0.0-20250715064423-7310c9ec4b2a/go.mod h1:lILztSxHU7VsdlYqCnwgxSDBhbXMf7iEQWtldJCDXPo=
 github.com/owenrumney/go-sarif/v3 v3.2.1 h1:Dogf2wkOxxRkG3O/B9T6dokyDSl36q19tlMYtXOTThE=
 github.com/owenrumney/go-sarif/v3 v3.2.1/go.mod h1:S2sdyDnv0sxN5x+M8iFZIzZE2+uTX/1uXlwTRx0efT0=
 github.com/package-url/packageurl-go v0.1.3 h1:4juMED3hHiz0set3Vq3KeQ75KD1avthoXLtmE3I0PLs=

internal/image/fixtures/ubuntu20-04-unimportant-config.toml

@@ -67,3 +67,8 @@ ignore = true
 name = "gnutls28"
 reason = "Just want to test only unimportant vulns"
 ignore = true
+
+[[PackageOverrides]]
+name = "tar"
+reason = "Just want to test only unimportant vulns"
+ignore = true

internal/utility/severity/severity.go

@@ -59,6 +59,8 @@ func CalculateScore(severity osvschema.Severity) (float64, string, error) {
 			score = vec.Score()
 			rating, err = gocvss40.Rating(score)
 		}
+	case osvschema.SeverityUbuntu:
+		rating = severity.Score
 	}
 
 	return score, rating, err

pkg/osvscanner/vulnerability_result.go

@@ -185,7 +185,7 @@ func buildVulnerabilityResults(
 // within their respective groups' experimental analysis.
 func setUnimportant(pkg *models.PackageVulns) {
 	for _, vuln := range pkg.Vulnerabilities {
-		if !isUnimportant(vuln.Affected) {
+		if !isUnimportant(vuln) {
 			continue
 		}
 		for i, group := range pkg.Groups {
@@ -211,11 +211,18 @@ func setUnimportant(pkg *models.PackageVulns) {
 // isUnimportant checks if a Debian-based vulnerability is tagged as unimportant
 // Debian: https://security-team.debian.org/security_tracker.html#severity-levels
 // Ubuntu: https://ubuntu.com/security/cves/about#priority
-func isUnimportant(affectedPackages []osvschema.Affected) bool {
-	for _, affected := range affectedPackages {
+func isUnimportant(vuln osvschema.Vulnerability) bool {
+	for _, severity := range vuln.Severity {
+		if strings.HasPrefix(vuln.ID, "UBUNTU-CVE-") && severity.Type == osvschema.SeverityUbuntu {
+			return severity.Score == "negligible"
+		}
+	}
+
+	for _, affected := range vuln.Affected {
 		if affected.EcosystemSpecific["urgency"] == "unimportant" {
 			return true
 		}
+		// TODO (gongh@): Remove this once Ubuntu has fully moved all priority tags into the severity field.
 		if affected.EcosystemSpecific["ubuntu_priority"] == "negligible" {
 			return true
 		}