aboutcode-org / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
543 stars 201 forks source link

Add GHSA CVSS scores to VCIO data #1645

Open mjherzog opened 2 weeks ago

mjherzog commented 2 weeks ago

With the significant NVD backlog for assigning Severity Scores to CVEs, alternate sources like GHSA are even more important. VCIO currently provides only a qualitative CVSS v3 score - LOW, MODERATE, HIGH or CRITICAL even though GHSA also provides a numeric score.

With some help from John H I now understand that the qr in the csvssv3.1_qr scores we report means "qualitative rating" which is fine except that the score in this case is for/from cvss v4.

We also need the numeric cvss scores with an accurate label of the cvss version for that score. It seems that we are in a transition period where we will see a cvss v3.1x score for older vulnerabilities and a cvss v4 score for newer vulnerabilities.

For example the data at https://github.com/advisories/GHSA-wm9w-rjj3-j356 for VCID-yktk-48uz-aaac shows both "HIGH" and "8.7" as severity scores. VCIO should report both the qualitative and numeric scores as cvss v4. Some other examples are:

The key use case is where an organization uses a numeric severity threshold to prioritize vulnerabilities and need alternate CVSS information where it is not available from the NVD.

With the advent of our own Vulnerability Risk scoring across the AboutCode stack we need to ensure that the underlying data is accurate and complete.