Collect ubuntu priority severity

Signed-off-by: Keshav Priyadarshi <git@keshav.space>

Author: keshav-space

vulnerabilities/importers/__init__.py

@@ -74,6 +74,7 @@
 from vulnerabilities.pipelines.v2_importers import pysec_importer as pysec_importer_v2
 from vulnerabilities.pipelines.v2_importers import redhat_importer as redhat_importer_v2
 from vulnerabilities.pipelines.v2_importers import ruby_importer as ruby_importer_v2
+from vulnerabilities.pipelines.v2_importers import ubuntu_osv_importer as ubuntu_osv_importer_v2
 from vulnerabilities.pipelines.v2_importers import vulnrichment_importer as vulnrichment_importer_v2
 from vulnerabilities.pipelines.v2_importers import xen_importer as xen_importer_v2
 from vulnerabilities.utils import create_registry
@@ -107,6 +108,7 @@
         debian_importer_v2.DebianImporterPipeline,
         mattermost_importer_v2.MattermostImporterPipeline,
         apache_tomcat_v2.ApacheTomcatImporterPipeline,
+        ubuntu_osv_importer_v2.UbuntuOSVImporterPipeline,
         nvd_importer.NVDImporterPipeline,
         github_importer.GitHubAPIImporterPipeline,
         gitlab_importer.GitLabImporterPipeline,

vulnerabilities/migrations/0112_alter_advisoryseverity_scoring_system_and_more.py

@@ -1,4 +1,4 @@
-# Generated by Django 4.2.25 on 2026-02-04 07:49
+# Generated by Django 4.2.25 on 2026-02-05 10:10
 
 from django.db import migrations, models
 
@@ -29,9 +29,9 @@ class Migration(migrations.Migration):
                     ("epss", "Exploit Prediction Scoring System"),
                     ("ssvc", "Stakeholder-Specific Vulnerability Categorization"),
                     ("openssl", "OpenSSL Severity"),
-                    ("ubuntu", "Ubuntu priority"),
+                    ("ubuntu-priority", "Ubuntu Priority"),
                 ],
-                help_text="Identifier for the scoring system used. Available choices are: cvssv2: CVSSv2 Base Score,\ncvssv3: CVSSv3 Base Score,\ncvssv3.1: CVSSv3.1 Base Score,\ncvssv4: CVSSv4 Base Score,\nrhbs: RedHat Bugzilla severity,\nrhas: RedHat Aggregate severity,\narchlinux: Archlinux Vulnerability Group Severity,\ncvssv3.1_qr: CVSSv3.1 Qualitative Severity Rating,\ngeneric_textual: Generic textual severity rating,\napache_httpd: Apache Httpd Severity,\napache_tomcat: Apache Tomcat Severity,\nepss: Exploit Prediction Scoring System,\nssvc: Stakeholder-Specific Vulnerability Categorization,\nopenssl: OpenSSL Severity,\nubuntu: Ubuntu priority ",
+                help_text="Identifier for the scoring system used. Available choices are: cvssv2: CVSSv2 Base Score,\ncvssv3: CVSSv3 Base Score,\ncvssv3.1: CVSSv3.1 Base Score,\ncvssv4: CVSSv4 Base Score,\nrhbs: RedHat Bugzilla severity,\nrhas: RedHat Aggregate severity,\narchlinux: Archlinux Vulnerability Group Severity,\ncvssv3.1_qr: CVSSv3.1 Qualitative Severity Rating,\ngeneric_textual: Generic textual severity rating,\napache_httpd: Apache Httpd Severity,\napache_tomcat: Apache Tomcat Severity,\nepss: Exploit Prediction Scoring System,\nssvc: Stakeholder-Specific Vulnerability Categorization,\nopenssl: OpenSSL Severity,\nubuntu-priority: Ubuntu Priority ",
                 max_length=50,
             ),
         ),
@@ -54,9 +54,9 @@ class Migration(migrations.Migration):
                     ("epss", "Exploit Prediction Scoring System"),
                     ("ssvc", "Stakeholder-Specific Vulnerability Categorization"),
                     ("openssl", "OpenSSL Severity"),
-                    ("ubuntu", "Ubuntu priority"),
+                    ("ubuntu-priority", "Ubuntu Priority"),
                 ],
-                help_text="Identifier for the scoring system used. Available choices are: cvssv2: CVSSv2 Base Score,\ncvssv3: CVSSv3 Base Score,\ncvssv3.1: CVSSv3.1 Base Score,\ncvssv4: CVSSv4 Base Score,\nrhbs: RedHat Bugzilla severity,\nrhas: RedHat Aggregate severity,\narchlinux: Archlinux Vulnerability Group Severity,\ncvssv3.1_qr: CVSSv3.1 Qualitative Severity Rating,\ngeneric_textual: Generic textual severity rating,\napache_httpd: Apache Httpd Severity,\napache_tomcat: Apache Tomcat Severity,\nepss: Exploit Prediction Scoring System,\nssvc: Stakeholder-Specific Vulnerability Categorization,\nopenssl: OpenSSL Severity,\nubuntu: Ubuntu priority ",
+                help_text="Identifier for the scoring system used. Available choices are: cvssv2: CVSSv2 Base Score,\ncvssv3: CVSSv3 Base Score,\ncvssv3.1: CVSSv3.1 Base Score,\ncvssv4: CVSSv4 Base Score,\nrhbs: RedHat Bugzilla severity,\nrhas: RedHat Aggregate severity,\narchlinux: Archlinux Vulnerability Group Severity,\ncvssv3.1_qr: CVSSv3.1 Qualitative Severity Rating,\ngeneric_textual: Generic textual severity rating,\napache_httpd: Apache Httpd Severity,\napache_tomcat: Apache Tomcat Severity,\nepss: Exploit Prediction Scoring System,\nssvc: Stakeholder-Specific Vulnerability Categorization,\nopenssl: OpenSSL Severity,\nubuntu-priority: Ubuntu Priority ",
                 max_length=50,
             ),
         ),

vulnerabilities/pipes/osv_v2.py

@@ -51,6 +51,12 @@
     "crates.io": "cargo",
 }
 
+OSV_TO_VCIO_SEVERITY_MAP = {
+    "cvss_v3": "cvssv3.1",
+    "cvss_v4": "cvssv4",
+    "ubuntu": "ubuntu-priority",
+}
+
 
 def parse_advisory_data_v3(
     raw_data: dict, supported_ecosystems, advisory_url: str, advisory_text: str
@@ -242,27 +248,33 @@ def get_severities(raw_data, url) -> Iterable[VulnerabilitySeverity]:
     try:
         for severity in raw_data.get("severity") or []:
             severity_type = severity.get("type")
-            score = severity.get("score")
+            value = severity.get("score")
+            severity_type = severity_type.lower()
+            scoring_element = None
+
+            if (
+                severity_type not in SCORING_SYSTEMS
+                and severity_type not in OSV_TO_VCIO_SEVERITY_MAP
+            ):
+                logger.error(
+                    f"Unsupported severity type: {severity!r} for OSV id: {raw_data.get('id')!r}"
+                )
+                continue
 
-            if severity_type == "CVSS_V3":
-                system = SCORING_SYSTEMS["cvssv3.1"]
-                valid_vector = score[:-1] if score and score.endswith("/") else score
-                value = system.compute(valid_vector)
-                yield VulnerabilitySeverity(system=system, value=value, scoring_elements=score)
+            severity_type = OSV_TO_VCIO_SEVERITY_MAP.get(severity_type, severity_type)
+            system = SCORING_SYSTEMS[severity_type]
 
-            elif severity_type == "CVSS_V4":
-                system = SCORING_SYSTEMS["cvssv4"]
-                valid_vector = score[:-1] if score and score.endswith("/") else score
+            if severity_type in ["cvssv3.1", "cvssv4"]:
+                scoring_element = value
+                valid_vector = value[:-1] if value and value.endswith("/") else value
                 value = system.compute(valid_vector)
-                yield VulnerabilitySeverity(system=system, value=value, scoring_elements=score)
-            elif severity_type.lower() in SCORING_SYSTEMS:
-                system = SCORING_SYSTEMS[severity_type.lower()]
-                yield VulnerabilitySeverity(system=system, value=score, url=url)
 
-            else:
-                logger.error(
-                    f"Unsupported severity type: {severity!r} for OSV id: {raw_data.get('id')!r}"
-                )
+            yield VulnerabilitySeverity(
+                system=system,
+                value=value,
+                scoring_elements=scoring_element,
+                url=url,
+            )
     except (CVSS3MalformedError, CVSS4MalformedError) as e:
         logger.error(f"Invalid severity {e}")
 

vulnerabilities/severity_systems.py

@@ -196,12 +196,12 @@ def get(self, scoring_elements: str) -> dict:
     "Low",
 ]
 
-UBUNTU = ScoringSystem(
-    identifier="ubuntu",
-    name="Ubuntu priority",
+UBUNTU_PRIORITY = ScoringSystem(
+    identifier="ubuntu-priority",
+    name="Ubuntu Priority",
     url="https://ubuntu.com/security/cves/about#priority",
 )
-UBUNTU.choices = [
+UBUNTU_PRIORITY.choices = [
     "Critical",
     "High",
     "Medium",
@@ -252,6 +252,6 @@ def get(self, scoring_elements: str):
         EPSS,
         SSVC,
         OPENSSL,
-        UBUNTU,
+        UBUNTU_PRIORITY,
     )
 }

vulnerabilities/tests/test_data/ubuntu/ubuntu_osv_advisoryv2-expected.json

@@ -36,9 +36,9 @@
     "patches": [],
     "severities": [
       {
-        "system": "ubuntu",
+        "system": "ubuntu-priority",
         "value": "low",
-        "scoring_elements": ""
+        "scoring_elements": null
       }
     ],
     "date_published": "2014-04-05T21:55:00+00:00",
@@ -139,9 +139,9 @@
     "patches": [],
     "severities": [
       {
-        "system": "ubuntu",
+        "system": "ubuntu-priority",
         "value": "medium",
-        "scoring_elements": ""
+        "scoring_elements": null
       }
     ],
     "date_published": "2020-05-24T00:00:00+00:00",
@@ -199,9 +199,9 @@
     "patches": [],
     "severities": [
       {
-        "system": "ubuntu",
+        "system": "ubuntu-priority",
         "value": "low",
-        "scoring_elements": ""
+        "scoring_elements": null
       }
     ],
     "date_published": "2010-04-06T16:30:00+00:00",
@@ -250,9 +250,9 @@
     "patches": [],
     "severities": [
       {
-        "system": "ubuntu",
+        "system": "ubuntu-priority",
         "value": "low",
-        "scoring_elements": ""
+        "scoring_elements": null
       }
     ],
     "date_published": "2015-03-17T00:00:00+00:00",
@@ -342,15 +342,15 @@
     ],
     "patches": [],
     "severities": [
-      {
-        "system": "ubuntu",
-        "value": "medium",
-        "scoring_elements": ""
-      },
       {
         "system": "cvssv3.1",
         "value": "9.8",
         "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+      },
+      {
+        "system": "ubuntu-priority",
+        "value": "medium",
+        "scoring_elements": null
       }
     ],
     "date_published": "2020-03-23T22:15:00+00:00",
@@ -440,11 +440,6 @@
     ],
     "patches": [],
     "severities": [
-      {
-        "system": "ubuntu",
-        "value": "medium",
-        "scoring_elements": ""
-      },
       {
         "system": "cvssv3.1",
         "value": "4.2",
@@ -459,6 +454,11 @@
         "system": "cvssv4",
         "value": "2.3",
         "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+      },
+      {
+        "system": "ubuntu-priority",
+        "value": "medium",
+        "scoring_elements": null
       }
     ],
     "date_published": "2025-12-09T16:17:00+00:00",