search

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
529 stars 199 forks source link

Wrong CVSS3 V3.1 QR "MODERATE" #1186

Open mnonnenmacher opened 1 year ago

mnonnenmacher commented 1 year ago

GitHub advisories provide the severity "MODERATE" and as a result VulnerableCode does also provide this severity which according to the specification should be "MEDIUM" instead.

For example, this severity is classified as "MODERATE" by GitHub: https://github.com/advisories/GHSA-c7mc-q43h-5672

It is reported by VulnerableCode as:

{
  "reference_url": "https://github.com/advisories/GHSA-c7mc-q43h-5672",
  "reference_id": "GHSA-c7mc-q43h-5672",
  "scores": [
    {
      "value": "MODERATE",
      "scoring_system": "cvssv3.1_qr",
      "scoring_elements": ""
    }
  ],
  "url": "https://github.com/advisories/GHSA-c7mc-q43h-5672"
}

It would be good if VulnerableCode could map "MODERATE" to the correct "MEDIUM" in its API response.

sschuberth commented 1 year ago

I've also reported this upstream to GitHub: https://github.com/github/advisory-database/issues/2189