Clj-watson now recognizes that multiple CVSS versions can be populated for a single CVE. We now:
to be cautious, choose the highest base score across all CVSS versions
include the CVSS version with the score
For github-advisory:
The github-advisory only contains a single CVSS entry. Clj-watson now extracts the CVSS revision from the CVSS "vectorString", when available.
For reports:
json & edn - now include the CVSS :version under :cvss
stdout - now includes version after score: CVSS: <score> (version <cvss version>)
sarif
added cvss with its score, version and severity under properties, this duplicates the existing (unfortunately named) security-severity which also holds the score
reworded slightly awkward summary message, ex:
old: Vulnerability identified as CVE-2022-4244 of score 7.5 and severity HIGH found.
new: Vulnerability CVE-2022-4244 with a score of 7.5 and severity of HIGH found.
Out of scope:
This change does not include support for deriving a CVSS score when it missing. This will be handled when we need it for decision making, like in #114.
For dependency-check:
Clj-watson now recognizes that multiple CVSS versions can be populated for a single CVE. We now:
For github-advisory:
The github-advisory only contains a single CVSS entry. Clj-watson now extracts the CVSS revision from the CVSS "vectorString", when available.
For reports:
json&edn- now include the CVSS:versionunder:cvssstdout- now includes version after score:CVSS: <score> (version <cvss version>)sarifcvsswith itsscore,versionandseverityunderproperties, this duplicates the existing (unfortunately named)security-severitywhich also holds thescoreOut of scope:
This change does not include support for deriving a CVSS score when it missing. This will be handled when we need it for decision making, like in #114.
Closes #112