hack: hard-code severity for debian CVE-2023-44487 (#448)

* hack: hard-code severity for debian CVE-2023-44487

The Debian feed contains per-package urgency for CVEs, which Vunnel
translates into per-package severity, and the collapses into a single
per-CVE serverity by having the most severe severity win. However,
unknown severities always lose the comparison. This means that the
particular CVE here, CVE-2023-44487, which has a single negligible
package and a bunch of unknowns, is treated as negligible severity for
every package, which is incorrect. Hard-code it to high severity while
we figure out what schema changes and logic changes are needed put in a
lasting fix.

Signed-off-by: Will Murphy <[email protected]>

* fix: hard-code unknown instead of high

Signed-off-by: Will Murphy <[email protected]>

* log that data is being modified

Signed-off-by: Will Murphy <[email protected]>

---------

Signed-off-by: Will Murphy <[email protected]>

src/vunnel/providers/debian/parser.py

@@ -351,6 +351,14 @@ def _normalize_json(self, ns_cve_dsalist=None):  # noqa: PLR0912,PLR0915,C901
                             ):
                                 vuln_record["Vulnerability"]["Severity"] = sev
 
+                            # HACK: when we can represent per-package severity or have a good mechanism
+                            # for overriding upstream data, we should take this out.
+                            if vid == "CVE-2023-44487":
+                                self.logger.info(
+                                    "clearing severity on CVE-2023-44487, see https://github.com/anchore/grype-db/issues/108#issuecomment-1796301073",
+                                )
+                                vuln_record["Vulnerability"]["Severity"] = "Unknown"
+
                             # add fixedIn
                             skip_fixedin = False
                             fixed_el = {