Add CVSS score for GHSA vulnerabilites

[WDN2010]

Current Behavior

Currently, all vulnerabilities in the GitHub Security Advisories database do not have a CVSS score, even though they are available on the GitHub page. For instance, CVE-2019-10086 has a CVSS score of 7.3 in the DTrack database, but the alias GHSA-6phf-73q6-gh87 does not have any CVSS score. However, if we visit the vulnerability page on GitHub (https://github.com/advisories/GHSA-6phf-73q6-gh87), we can see that there is a CVSS score with a detailed vector that can be loaded and used by Dependency Track.

Proposed Behavior

It's needed to download and utilize the CVSS score from the GHSA database to ensure a more comprehensive vulnerability database and make informed decisions regarding the vulnerabilities found

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this enhancement was already requested

[nscuro]

Thanks for reporting @WDN2010. I am relabeling this as defect, because we already parse this info from GHSA. Perhaps the fields or the way they are populated in their GraphQL API have changed slightly. In any case, GHSAs mirrored by DT should definitely have CVSS scores.

[msymons]

@nscuro, what to do when a GHSA vulnerability has a CVE alias and the CVSS differs?

[nscuro]

@msymons For the time being, they'll simply be tracked as two separate vulnerabilities, each with their own scoring. That's why we track aliases separately, instead of simply merging multiple vulnerabilities into a single record.

[rkg-mm]

Is this a duplicate of #2474 fixed by #3151 ?

[khaledgithubwl]

@nscuro any news for this issue ?