sephiroth-j
commented
10 months ago A good addition, as the number of unassigned findings contributes to the overall risk score.
Closed luisbraga-msg closed 10 months ago
sephiroth-j
commented
10 months ago A good addition, as the number of unassigned findings contributes to the overall risk score.
Is your feature request related to a problem? Please describe.
At the moment it is not possible to specify thresholds for vulnerabilities of "unassigned" category. I'm assuming this is intended behavior, since "unassigned" vulnerabilities are kind of in limbo.
However, I'm not 100% sure if those should be ignored. In practice, there are some yet unclassified but already confirmed vulnerabilities that are getting unnoticed. For instance, very recently we faced https://nvd.nist.gov/vuln/detail/CVE-2023-1370, which is unclassified at the moment. That vulnerability was already acknowledge and fixed by the vendor.
In our case, it flight under the radar until someone realized we were building/releasing with vulnerabilities.
Describe the solution you'd like
As it is done for other vulnerability categories, I would like to be able to specify thresholds for the "unassigned" vulnerabilities.
Let me know what you think about this solution, or if you recommend another way of dealing with this situation. If you think this should be implemented, I can work on a MR.