VCIO does not collect some Severity (cvssv3.1) scores for a CVE

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

https://public.vulnerablecode.io

Apache License 2.0

543 stars 201 forks source link

VCIO does not collect some Severity (cvssv3.1) scores for a CVE #1238

Open mjherzog opened 1 year ago

mjherzog commented 1 year ago

For a recent Vulnerability report of approximately 250 purl-CVE vulnerabilty combinations almost half were missing a Severity score (field value = NA) which is a critical deficiency for prioritizing investigation or remediation of vulnerabilities. A few cases are legitimate because the CVE has been rejected - see https://github.com/nexB/vulnerablecode/issues/1221, but in the other cases I checked there is one or more cvssv3.1 scores in the NVD (NIST:NVD and/or CNA: Google etc.). In a few cases it appear the the original CVE record did not have a cvssv3.1 value but in most cases the cvssv3.1 data is part of the original record based on the Change History. Note the cvssv3.1 data is the set of metrics not the derived numeric score.

We need to improve our CVE data collection to ensure that we capture the current Severity data and enable some tracking for adding Severity data if it was not available when we first collected a CVE or changed after we collected it.

ambuj-1211 commented 7 months ago

@mjherzog @TG1999 @johnmhoran Is this issue available for contribution? I have some queries about this issue:

do we need to add a separate script to track the severity scores rather than coding for every single importer.
do we require routine checks to check any kind of update in the severity data.

pombredanne commented 7 months ago

@ambuj-1211 re:

is this issue available for contribution? yes

@mjherzog would you have a few examples of such PURLs and vulnerabilities on hand?

@ambuj-1211 to pick a fix you would first nee to find out why and what happened.

ziadhany commented 5 months ago

@ambuj-1211

Let's tackle this in four steps:

[ ] Identify Missing Scores:

create Python or SQL query that finds vulnerabilities with severity information but lacking a CVSSv3 score. We'll prioritize focusing on recent vulnerabilities, as they're more likely to have a CVSSv3 assigned.

[ ] Manual Search:

randomly sample a subset of these vulnerabilities and manually search for their missing CVSSv3 scores on public resources like the National Vulnerability Database (NVD).

[ ] Document Findings (Issue Comment) that analyze the causes of missing CVSSv3 scores (importer type, recent discovery, .... ) Analyze why some vulnerabilities lack CVSSv3 scores
[ ] Write an improver or importer to get all missing CVSSv3

ambuj-1211 commented 5 months ago

@ziadhany

create Python or SQL query that finds vulnerabilities with severity information but lacking a CVSSv3 score. We'll prioritize focusing on recent vulnerabilities, as they're more likely to have a CVSSv3 assigned.

correct me if I am wrong, for this I need to make a func in models.py and call it using custom management command?

ziadhany commented 5 months ago

@ambuj-1211 No, just a Django or SQL query like this : https://docs.djangoproject.com/en/5.0/topics/db/queries/#retrieving-specific-objects-with-filters no need to create a custom management command

pombredanne commented 1 month ago

@ambuj-1211 gentle ping. Are you looking to complete this?

ambuj-1211 commented 1 month ago

@pombredanne yes have done some work on this and will try to complete it soon.