Open TG1999 opened 1 year ago
A good way to get moving on this would be to examine some examples of advisory conflicts. Would anyone like to suggest specific cases?
@DennisClark https://github.com/advisories/GHSA-r8f7-9pfq-mjmv and https://nvd.nist.gov/vuln/detail/CVE-2020-24025 , GHSA identifies >= 2.0.0, < 7.0.0
as affected versions, whereas NVD identifies >=2.0.0 , <=4.14.1
thanks @TG1999 Looking at both, i think there are at least two elements we can consider for scoring:
It is interesting (and surprising actually) that the NVD example is quite obsolete, based on the dates available on the posting, which helps to explain why it provides a narrower version range, making the GHSA example more reliable in this specific case.
We need a way to score the reliability of advisories, since multiple advisories for the same vulnerability may differ in significant details.
First step is to identify the scoring criteria, and provide a weighting for each element.