CVE severity mismatch

[zbone3]

Retire.js version: (retire --version): 2.0.3

node version: (node --version): v12.14.1

Type: Bug / Discrepancy

Description: It seems that some CVEs in the jsrepository.json file have the wrong severity. An example is CVE-2019-8331. Retire has a high severity while CVE DBs say it's medium.

Retire jsrepository.json source: https://raw.githubusercontent.com/RetireJS/retire.js/master/repository/jsrepository.json Official CVE source: https://nvd.nist.gov/vuln/detail/CVE-2019-8331

Expected behaviour: Expect severities to match nvd.nist.gov

[eoftedal]

If you know of several ones, maybe you could create a pull request to fix them? That would be helpful

[zbone3]

@eoftedal I will do that, but how would we fix the root of the issue? What source does retire take the severity from? I'm just trying to figure out why there are some discrepancies in the first place. Thanks

[zbone3]

@eoftedal the pull request with updates to severities can be found here: https://github.com/RetireJS/retire.js/pull/333

Also I would appreciate your answer on What source does retire take the severity from?

Thanks

[eoftedal]

A lot the severities where added pre CVE inclusion, and the score was based on difficulty, as in most cases the end result was the same (XSS). So a library that, if it was loaded, would make the site vulnerable was rated high. If it was easy to make coding mistake to expose the vulnerability, it was medium. If it was edge case, it was rated low. Aligning with NVD makes sense, allthough even within NVD CVEs for XSS flaws have weird/conflicting ratings if you compare them.