MathiasVP
commented
1 year ago Hi @DoubleA176-VA,
Thank you for raising this issue. This is certainly a reasonable request, but at the moment there's no way to get the CVSS score out of a database analyze run with --format=csv. So your only option is to run database analyze twice: first with --format=sarif-latest (or another sarif format), and second with --format=csv.
Since the all the query results will be cached this second run will be very fast, so this won't have a big performance impact. However, you'll have to figure out how to correlate the SARIF and CSV formats which I think will be difficult 🤔. So it may be that your best option now is to extract the information you need from the SARIF format.
I'll create an internal issue for the relevant team, and we'll let you know once this situation has improved.
DoubleA176-VA
Is there a way to have the CVSS score be included in the information that's output when the "database analyze" command is run? I know there SARIF format includes the CVSS score under the "security-severity" attribute, but the CSV output is more useful for my current purposes, and the CVSS score is valuable information that I would like to have included in that format.
If anyone could help me out, I'd appreciate it a lot.