fix: modernize cvss score loading

intel / cve-bin-tool

The CVE Binary Tool helps you determine if your system includes known vulnerabilities. You can scan binaries for over 200 common, vulnerable components (openssl, libpng, libxml2, expat and others), or if you know the components used, you can get a list of known vulnerabilities associated with an SBOM or a list of components and versions.

https://cve-bin-tool.readthedocs.io/en/latest/

GNU General Public License v3.0

1.19k stars 457 forks source link

fix: modernize cvss score loading #4373

Closed terriko closed 1 month ago

terriko commented 1 month ago

fixes #4370

Turns out our cvss score loading code was out of date and thus wasn't loading scores correctly and was throwing off a lot of log messages.

terriko commented 1 month ago

Added some basic input validation on score/severity. The CVSS parsing library we're using will handle some input validation, but I'm doing some research to do some basic character filtering here before I declare this done.

terriko commented 1 month ago

Character filtering done! I think this is ready for review.

terriko commented 1 month ago

@anthonyharrison I have done some more research and it turns out other than [0-9.] the other way to check if a string is a float in python is to just cast it to float() and see what happens. I'm amused.