GHSA entry reports incorrect scoring system for 2024 vulnerabilities

aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/

https://public.vulnerablecode.io

Apache License 2.0

541 stars 201 forks source link

GHSA entry reports incorrect scoring system for 2024 vulnerabilities #1644

Open mjherzog opened 1 week ago

mjherzog commented 1 week ago

For VCID-yktk-48uz-aaac, VCIO does not report a CVSS score for https://nvd.nist.gov/vuln/detail/CVE-2024-34750. This is correct for CVSS v4 but there is a CVSS v3.x score available. We do not want to collect CVSS v2 data, but we will need to deal with both v3.x and v4 scores for at least the near future.

DennisClark commented 5 days ago

In general I think that we always collect CVSS v3.x scores. Perhaps the bug here is that we are not collecting the "ADP: CISA-ADP" score when there is no "NVD" score. See screenshot.

CVE-2024-34750 Detail 2024-11-11 at 12 59 51

mjherzog commented 5 days ago

Good point - I missed that possibility but in any case we need to document/qualify what score we are collecting. And it seems to be the case that we should be collecting CISA-ADP scores esp. in light of the NIST issues. https://www.cve.org/Media/News/item/blog/2024/06/04/CISA-Added-as-CVE-Authorized-Data-Publisher And we need to prepare for / starting collecting v4.0 scores.