Surface "Secondary" CVSS Scores

mostlikelee commented 1 week ago

customer-honoria: Google doc: https://docs.google.com/document/d/1hFpr_0RCiD_FK7fndrZ6ZO5l6Hd90op0HusTUVQI4VQ/edit?tab=t.0

@noahtalerman: User requested this because they see missing CVSS scores for some Chrome vulnerabilities and they want some basic indicator of "this is more urgent/important" vs "this probably isn't as urgent". Number of high severity vulnerabilities is their first iteration of creating a priority listing.
- @noahtalerman: Eventually Fleet could add this secondary source for CVSS if NVD isn't providing a CVSS score

noahtalerman commented 4 days ago

Problem

Fleet currently only surfaces "Primary" CVSS scores from the NVD feed which in some cases leaves some CVEs in Fleet with missing scores.

What have you tried?

NA

Potential solutions

"Primary" sources are organizations designated by the NVD (often NVD itself) and all other sources are considered "Secondary". One solution is to provide the Secondary scores if the primary scores do not exist, but we should be transparent by also providing the designation (Primary vs Secondary) as well as the source (organization ID) in the Fleet API. Since the customer did not request the additional information, it may not be required at this time in the UI.

What is the expected workflow as a result of your proposal?

Customers see more CVSS scores in the UI and some customers may use the additional API fields further refine their vulnerability management process by weighing the validity a score based on it's designation and source.

Internal References: https://fleetdm.slack.com/archives/C07KLKM2FRT/p1729695759393249 https://fleetdm.slack.com/archives/C03FDNMCL80/p1727814174565549

noahtalerman commented 4 days ago

Originating Bug: https://github.com/fleetdm/fleet/issues/22564

fleetdm / fleet