When Kvasir was created I played a little loose with the vulnerability severity level to name mapping. Throughout the lifecycle this shifted a few times and eventually settled to an info/low/med/high setting. CVSS, of course, has a better mapping - https://nvd.nist.gov/cvss.cfm:
NVD Vulnerability Severity Ratings
NVD provides severity rankings of "Low," "Medium," and "High" in addition to the numeric CVSS scores
but these qualitative rankings are simply mapped from the numeric CVSS scores:
1. Vulnerabilities are labeled "Low" severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled "Medium" severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled "High" severity if they have a CVSS base score of 7.0-10.0.
In modules/skaldship/general.py we have this function to map from number to name:
def severity_mapping(sevnum='1', totype='color'):
"""
Convert a severity number (1-10) to a name (Info, Low, Medium, High)
or color. We cover 0-3 as info and go to 11 to cover the awesomeness
"""
def severity_mapping(sevnum='1', totype='color'):
"""
Convert a severity number (1-10) to a name (Info, Low, Medium, High)
or color. We cover 0-3 as info and go to 11 to cover the awesomeness
"""
severitymap = [ (0, 'Informational', 'grey'),
(1, 'Informational', 'grey'),
(2, 'Informational', 'grey'),
(3, 'Low', 'green'),
(4, 'Low', 'green'),
(5, 'Medium', 'orange'),
(6, 'Medium', 'orange'),
(7, 'Medium', 'orange'),
(8, 'High', 'red'),
(9, 'High', 'red'),
(10, 'High', 'red'),
(11, 'High', 'red'),
]
return severitymap[int(sevnum)]
Which is pretty wrong. Making a change is REQUIRED but may impact some users. I still think 0's are Informational and not low so I will keep it as such. The new mapping:
def severity_mapping(sevnum='1', totype='color'):
"""
Convert a severity number (1-10) to a name (Info, Low, Medium, High)
or color. We cover 0-3 as info and go to 11 to cover the awesomeness
"""
severitymap = [ (0, 'Informational', 'grey'),
(1, 'Low', 'grey'),
(2, 'Low', 'grey'),
(3, 'Low', 'green'),
(4, 'Medium', 'green'),
(5, 'Medium', 'orange'),
(6, 'Medium', 'orange'),
(7, 'High', 'orange'),
(8, 'High', 'red'),
(9, 'High', 'red'),
(10, 'High', 'red'),
(11, 'High', 'red'),
]
return severitymap[int(sevnum)]
When Kvasir was created I played a little loose with the vulnerability severity level to name mapping. Throughout the lifecycle this shifted a few times and eventually settled to an info/low/med/high setting. CVSS, of course, has a better mapping - https://nvd.nist.gov/cvss.cfm:
In modules/skaldship/general.py we have this function to map from number to name:
Which is pretty wrong. Making a change is REQUIRED but may impact some users. I still think 0's are Informational and not low so I will keep it as such. The new mapping: