search

Nix-Security-WG / nix-local-security-scanner

Reports on which security advisories may be relevant for a given system or derivation
MIT License
3 stars 0 forks source link

Show severity #20

Open raboof opened 1 year ago

raboof commented 1 year ago

To best focus your efforts, it is useful to be able to see the severity level assigned to each advisory.

Unfortunately, there are different severity systems: CVSS is popular, but can be rigid, especially when applied to libraries. For this reason some organizations assign their own severity, such as low/moderate/important/critical at https://access.redhat.com/security/updates/classification/ .

StefanSchroeder commented 1 year ago

have you already looked into the new CVSS v4.0? It seems to be more flexible than 3.0, at least it has more options. For large integrators a re-evaluation might be feasible, but this approach doesn't scale well. Why throw away the CVSS base score when it's a good first indication? IMO it's more important to highlight the difference between Base Score, Environmental Score and Temporal Score in an analysis.

raboof commented 1 year ago

I agree we shouldn't throw away the CVSS score, especially if it's all we have, but if the CNA also provided their own severity we should also take that into account and perhaps even prefer it.