This PR adds support for CVSS v3 scores by importing them from the NVD. It also appropriately sets the severity of each CVE based on the v2 or v3 scoring system.
๐ญ Motivation and context
Since CVSS v3 has been out for quite a while now, it's about time that we support it.
This PR updates cyhy-nvdsync to import data for any CVE that has either v2 or v3 score. Previously, we only imported the v2 score.
If a v3 score is present in the NVD data, that score is imported into the DB. If no v3 score is present, the v2 score is imported. In either case, the version of the CVSS score is now stored in the DB along with the score itself.
The script ran without error and took the roughly same amount of time as it took before these code changes.
Every CVE that was imported received a cvss_version value (either "2.0", "3.0", or "3.1").
CVEs were getting assigned the correct severities, i.e. a CVE scored as a 9.0 in CVSS 2.0 got severity 3 (High), while a CVE scored as a 9.0 in CVSS 3.0 or 3.1 got severity 4 (Critical).
The same number of CVEs were imported both before (when it only imported CVSSv2 scores) and after these code changes. That isn't a 100% guarantee, but it's a good sign.
๐ฃ Description
This PR adds support for CVSS v3 scores by importing them from the NVD. It also appropriately sets the severity of each CVE based on the v2 or v3 scoring system.
๐ญ Motivation and context
Since CVSS v3 has been out for quite a while now, it's about time that we support it.
This PR updates
cyhy-nvdsync
to import data for any CVE that has either v2 or v3 score. Previously, we only imported the v2 score.If a v3 score is present in the NVD data, that score is imported into the DB. If no v3 score is present, the v2 score is imported. In either case, the version of the CVSS score is now stored in the DB along with the score itself.
Resolves:
This is part of the work for https://github.com/cisagov/cyhy-system/issues/59.
Marking this PR as blocked until the CyHy team allows us to deploy it. Note that this PR should be deployed in conjunction with https://github.com/cisagov/cyhy-reports/pull/76.
๐งช Testing
To test the updated
cyhy-nvdsync
code (https://github.com/cisagov/cyhy-core/pull/69/commits/1ad23ec828c956bcce38a39da52d18ae04bf3b3d and https://github.com/cisagov/cyhy-core/pull/69/commits/d5e722e2a9ca630064e02d7d6a5c8f354c98538d), I ran it in my test environment and validated the following things:cvss_version
value (either "2.0", "3.0", or "3.1").To test the updated
ticket_manager.py
code (https://github.com/cisagov/cyhy-core/pull/69/commits/2b81487cd5dd6c1a8e54538254629bc30fb1c980 and https://github.com/cisagov/cyhy-core/pull/69/commits/79d29f5c7e2a515aa8c465265e6f6889334fd987), I deployed the code changes to my test environment and re-ran vulnerability scans for some hosts that previously had open tickets. I verified that their tickets were correctly updated with the new expected values fordetails.cvss_base_score
,details.cvss_version
, anddetails.severity
. I also confirmed that no tickets were updated with unexpected or erroneous details.โ Pre-approval checklist
โ Post-merge checklist