Remove CVSSv2 scores from vulnerablecode

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

https://public.vulnerablecode.io

Apache License 2.0

537 stars 202 forks source link

Remove CVSSv2 scores from vulnerablecode #1187

Open TG1999 opened 1 year ago

TG1999 commented 1 year ago

Reference: https://github.com/nexB/vulnerablecode/issues/889#issuecomment-1518413361 It will be a 3 step process:

Mark all advisories with CVSSv2 with a flag so improvers don't process them in the future.
Check none of our current importers import cvsssv2 score
Writing a migration to remove all CVSSv2 score from the severity table.

pombredanne commented 1 year ago

IMHO we have this alternative:

delete everything about CVSSv2 including advisory and check if there are data sources that provide only CVSSv2 and how we can convert CVSSv2 into CVSSv3
or carry some CVSSv2 in advisories and have flags to avoid reprocessing and have some more code for CVSSv2 here and there

pombredanne commented 1 year ago

ziadhany commented 9 months ago

I think I got a really interesting result, take a look at https://www.kaggle.com/code/ziadhany/decision-trees-for-converting-cvss-2-to-3

TG1999 commented 4 months ago

@pombredanne please have a look on this one!