Open WDN2010 opened 1 year ago
Thanks for reporting @WDN2010. I am relabeling this as defect, because we already parse this info from GHSA. Perhaps the fields or the way they are populated in their GraphQL API have changed slightly. In any case, GHSAs mirrored by DT should definitely have CVSS scores.
@nscuro, what to do when a GHSA vulnerability has a CVE alias and the CVSS differs?
@msymons For the time being, they'll simply be tracked as two separate vulnerabilities, each with their own scoring. That's why we track aliases separately, instead of simply merging multiple vulnerabilities into a single record.
Is this a duplicate of #2474 fixed by #3151 ?
@nscuro any news for this issue ?
Current Behavior
Currently, all vulnerabilities in the GitHub Security Advisories database do not have a CVSS score, even though they are available on the GitHub page. For instance,
CVE-2019-10086
has a CVSS score of 7.3 in the DTrack database, but the aliasGHSA-6phf-73q6-gh87
does not have any CVSS score. However, if we visit the vulnerability page on GitHub (https://github.com/advisories/GHSA-6phf-73q6-gh87), we can see that there is a CVSS score with a detailed vector that can be loaded and used by Dependency Track.Proposed Behavior
It's needed to download and utilize the CVSS score from the GHSA database to ensure a more comprehensive vulnerability database and make informed decisions regarding the vulnerabilities found
Checklist