stackrox
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci.yaml
Lines changed: 1 addition & 1 deletion
diff --git a/‎e2etests/vuln_test.go
Lines changed: 13 additions & 22 deletions b/‎e2etests/vuln_test.go
Lines changed: 13 additions & 22 deletions
diff --git a/‎pkg/env/list.go
Lines changed: 3 additions & 3 deletions b/‎pkg/env/list.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎pkg/vulnloader/nvdloader/convert.go
Lines changed: 12 additions & 8 deletions b/‎pkg/vulnloader/nvdloader/convert.go
Lines changed: 12 additions & 8 deletions
@@ -162,7 +162,7 @@ jobs:
       contains(github.event.pull_request.labels.*.name, 'generate-dumps-on-pr')
     env:
       NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
-      ROX_LEGACY_NVD_LOADER: true
+      ROX_NVD_FEED_LOADER: true
     runs-on: ubuntu-latest
     needs:
       - pre-build-updater
 
@@ -142,23 +142,16 @@ func TestStackroxVulnImages(t *testing.T) {
 			image: "quay.io/rhacs-eng/qa:rails-cve-2016-2098",
 			expectedFeatures: []feature{
 				{"rails", "4.2.5.1", []expectedVuln{
+					{name: "CVE-2016-2098"},
+					{name: "CVE-2016-6316"},
+					{name: "CVE-2016-6317"},
 					{name: "CVE-2018-16476", fixedBy: "4.2.11"},
 					{name: "CVE-2019-5418", fixedBy: "4.2.11.1"},
 					{name: "CVE-2019-5419", fixedBy: "4.2.11.1"},
 					{name: "CVE-2019-5420", fixedBy: "5.2.2.1"},
 				},
 				},
 			},
-			unexpectedVulns: []feature{
-				{"rails", "4.2.5.1", []expectedVuln{
-					// These three vulns should exist, but NVD set these to deferred.
-					// Placing them here until they are no longer deferred.
-					{name: "CVE-2016-2098"},
-					{name: "CVE-2016-6316"},
-					{name: "CVE-2016-6317"},
-				},
-				},
-			},
 		},
 		{
 			// docker.io/1and1internet/ubuntu-16-customerssh:latest
@@ -184,6 +177,10 @@ func TestStackroxVulnImages(t *testing.T) {
 					{name: "CVE-2019-10086", fixedBy: ""},
 				},
 				},
+				{"commons_fileupload", "1.3.2", []expectedVuln{
+					{name: "CVE-2016-1000031", fixedBy: ""},
+				},
+				},
 				{"guava", "18.0", []expectedVuln{
 					{name: "CVE-2018-10237", fixedBy: "24.1.1"},
 				},
@@ -197,12 +194,6 @@ func TestStackroxVulnImages(t *testing.T) {
 					{name: "CVE-2015-2512"},
 				},
 				},
-				{"commons_fileupload", "1.3.2", []expectedVuln{
-					// This vuln should exist, but NVD set it to deferred.
-					// Placing it here until they are no longer deferred.
-					{name: "CVE-2016-1000031", fixedBy: ""},
-				},
-				},
 			},
 		},
 		{
@@ -218,17 +209,17 @@ func TestStackroxVulnImages(t *testing.T) {
 		{
 			// docker.io/library/cassandra:latest
 			image: "quay.io/rhacs-eng/qa:cassandra",
+			expectedFeatures: []feature{
+				{"logback", "1.1.3", []expectedVuln{
+					{name: "CVE-2017-5929", fixedBy: ""},
+				},
+				},
+			},
 			unexpectedVulns: []feature{
 				{"slingshot", "0.10.3", []expectedVuln{
 					{name: "CVE-2015-5711"},
 				},
 				},
-				{"logback", "1.1.3", []expectedVuln{
-					// This vuln should exist, but NVD set it to deferred.
-					// Placing it here until they are no longer deferred.
-					{name: "CVE-2017-5929", fixedBy: ""},
-				},
-				},
 			},
 		},
 		{
 
@@ -41,9 +41,9 @@ var (
 	// MaxGrpcConcurrentStreams configures the maximum number of HTTP/2 streams to use with gRPC
 	MaxGrpcConcurrentStreams = RegisterIntegerSetting("ROX_GRPC_MAX_CONCURRENT_STREAMS", DefaultMaxGrpcConcurrentStreams)
 
-	// LegacyNVDLoader when true will cause the loader to pull NVD data using
-	// the NVD Legacy Data Feeds, if false will pull from the NVD 2.0 API.
-	LegacyNVDLoader = RegisterBooleanSetting("ROX_LEGACY_NVD_LOADER", false)
+	// NVDFeedLoader when true will cause the loader to pull NVD data using
+	// the NVD 2.0 Data Feeds. If false, the loader will pull from the NVD 2.0 API.
+	NVDFeedLoader = RegisterBooleanSetting("ROX_NVD_FEED_LOADER", false)
 
 	// RHLineage when true will cause all parent layers (a.k.a lineage) to be considered when
 	// storing scan results for RHEL image layers.
 
@@ -14,7 +14,7 @@ const (
 	jsonTimeFormat = "2006-01-02T15:04Z"
 )
 
-func toJSON(vulns []*apischema.CVEAPIJSON20DefCVEItem) ([]*jsonschema.NVDCVEFeedJSON10DefCVEItem, error) {
+func toJSON10(vulns []*apischema.CVEAPIJSON20DefCVEItem) ([]*jsonschema.NVDCVEFeedJSON10DefCVEItem, error) {
 	if vulns == nil {
 		return nil, nil
 	}
@@ -152,14 +152,18 @@ func toBaseMetricV2(metrics []*apischema.CVEAPIJSON20CVSSV2) *jsonschema.NVDCVEF
 }
 
 func toBaseMetricV3(metrics30 []*apischema.CVEAPIJSON20CVSSV30, metrics31 []*apischema.CVEAPIJSON20CVSSV31) *jsonschema.NVDCVEFeedJSON10DefImpactBaseMetricV3 {
-	switch {
-	case len(metrics31) != 0:
-		return toBaseMetricV31(metrics31)
-	case len(metrics30) != 0:
-		return toBaseMetricV30(metrics30)
-	default:
-		return nil
+	// Prefer CVSS 3.1.
+	baseMetric := toBaseMetricV31(metrics31)
+	if baseMetric != nil {
+		return baseMetric
+	}
+
+	baseMetric = toBaseMetricV30(metrics30)
+	if baseMetric != nil {
+		return baseMetric
 	}
+
+	return nil
 }
 
 func toBaseMetricV31(metrics []*apischema.CVEAPIJSON20CVSSV31) *jsonschema.NVDCVEFeedJSON10DefImpactBaseMetricV3 {