CVSS 3.1 vs. 4 (example CVE-2024-8391)

[marcelstoer]

One of my checks failed due to CVE-2024-8391 being above my threshold of 7. Yet, when I checked https://nvd.nist.gov/vuln/detail/CVE-2024-8391 I saw the score reported as 6.9. Only at second glance did I realize the mismatch between the CVSS 4 score (6.9) and the CVSS 3.1 score (7.5).

This made me wonder which score DependencyCheck considers; never thought about this before.

I checked the documentation as well as the Maven plugin docs and didn't see my question answered.

[aikebah]

Currently it uses the threshold for 'any of CVSSv2 score, CVSSv3 score or (if no CVSS score was available on the vulnerability sources) a guesstimated severity translated into a fictive CVSSv2 score (based on its threshold values of low/medium/high/critical) derived from an available textual severity.

CVSS v4 score is currently not taken into account in the comparison on the maven plugin

https://github.com/jeremylong/DependencyCheck/blob/9688ad748f11b6ab4f258888e9ede051e52c3aa7/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java#L2680-L2688

is the condition that currently makes the build-breakage-or-not decision for the maven plugin

[marcelstoer]

Thanks! My assumption that "the newer the CVSS, the more precise its score" is not correct then? Or, is it correct but not correctly reflected in the code?

I would have expected the code to consider the CVSS score in descending order. If there's a CVSS 4 score, take that one. If not, look for 3.1 and so on.

[jeremylong]

While the CVSS scores are imported now - we haven't updated the code to include them in the calculation yet. It is on the list of things to do.

Honestly, I care less about the score and more about things like - is the CVE on the Known Exploited Vulnerability Catalog and what is the EPSS score. I know we've added KEV; but we will need to add EPSS to the report.