search

google / osv-scanner

Vulnerability scanner written in Go which uses the data provided by https://osv.dev
https://google.github.io/osv-scanner/
Apache License 2.0
6.1k stars 343 forks source link

Augment output with CVSS information. #123

Open themenucha opened 1 year ago

themenucha commented 1 year ago

Unfortunately, CVSS information is missing. This information could be very helpful in vulnerability management process.

oliverchang commented 1 year ago

Hi!

Some sources do have CVSS information, but this is an optional field in the OSV schema and only some of our DBs currently export this information.

We could potentially augment and provide this based on finding matching alias CVEs once we have NVD DB coverage (#783).

@andrewpollock thoughts?

andrewpollock commented 1 year ago

Yep, I think given this information is available in CVE, we should populate it in the resultant OSV record.

oliverchang commented 1 year ago

I think this issue belongs better in osv-scanner.

The CVSS score can be added dynamically in the osv-scanner output, based on the grouped matches. We aren't able to modify entries from other sources.

andrewpollock commented 1 year ago

I'm thinking we're talking about two separate uses of CVSS.

I was thinking about including CVSS in the OSV records that are converted from CVEs.

I'm beginning to suspect based on your most recent comment, that you're talking about including CVSS scores in the output from OSV Scanner?

oliverchang commented 1 year ago

Yep! This issue was originally in the OSV-Scanner repo, so this issue is indeed about that. Once we have NVD coverage we could potentially augment the output of OSV-Scanner based on aliases.

mindriven commented 1 year ago

Hi, did this go anywhere? I would really love to see this one implemented.

andrewpollock commented 1 year ago

I took a look at the data to get a sense of what the current severity availability was like:

AlmaLinux     : 0.00%
AlmaLinux:8   : 0.00%
AlmaLinux:9   : 0.00%
Alpine        : 0.00%
Alpine:v3.10  : 0.00%
Alpine:v3.11  : 0.00%
Alpine:v3.12  : 0.00%
Alpine:v3.13  : 0.00%
Alpine:v3.14  : 0.00%
Alpine:v3.15  : 0.00%
Alpine:v3.16  : 0.00%
Alpine:v3.17  : 0.00%
Alpine:v3.2   : 0.00%
Alpine:v3.3   : 0.00%
Alpine:v3.4   : 0.00%
Alpine:v3.5   : 0.00%
Alpine:v3.6   : 0.00%
Alpine:v3.7   : 0.00%
Alpine:v3.8   : 0.00%
Alpine:v3.9   : 0.00%
Android       : 0.00%
Debian        : 0.00%
Debian:10     : 0.00%
Debian:11     : 0.00%
Debian:3.0    : 0.00%
Debian:3.1    : 0.00%
Debian:4.0    : 0.00%
Debian:5.0    : 0.00%
Debian:6.0    : 0.00%
Debian:7      : 0.00%
Debian:8      : 0.00%
Debian:9      : 0.00%
GSD           : 0.00%
GitHub Actions: 100.00%
Go            : 67.39%
Hex           : 71.43%
Linux         : 0.00%
Maven         : 89.88%
NuGet         : 91.21%
OSS-Fuzz      : 0.00%
Packagist     : 89.69%
Pub           : 60.00%
PyPI          : 37.03%
Rocky Linux   : 95.01%
Rocky Linux:8 : 96.34%
Rocky Linux:9 : 89.02%
RubyGems      : 63.62%
UVI           : 0.00%
crates.io     : 64.27%
npm           : 67.19%

I'm not actively working on OSV Scanner features, so I won't keep this assigned to me. (I'm working on https://github.com/google/osv.dev/issues/783, and will be including CVSS information in the OSV records converted, although those records won't have an ecosystem)

github-actions[bot] commented 1 month ago

This issue has not had any activity for 60 days and will be automatically closed in two weeks

tomislacker commented 1 month ago

Posting to keep this open as it may be helpful for others.