Open marcelstoer opened 3 days ago
Currently it uses the threshold for 'any of CVSSv2 score, CVSSv3 score or (if no CVSS score was available on the vulnerability sources) a guesstimated severity translated into a fictive CVSSv2 score (based on its threshold values of low/medium/high/critical) derived from an available textual severity.
CVSS v4 score is currently not taken into account in the comparison on the maven plugin
is the condition that currently makes the build-breakage-or-not decision for the maven plugin
Thanks! My assumption that "the newer the CVSS, the more precise its score" is not correct then? Or, is it correct but not correctly reflected in the code?
I would have expected the code to consider the CVSS score in descending order. If there's a CVSS 4 score, take that one. If not, look for 3.1 and so on.
While the CVSS scores are imported now - we haven't updated the code to include them in the calculation yet. It is on the list of things to do.
Honestly, I care less about the score and more about things like - is the CVE on the Known Exploited Vulnerability Catalog and what is the EPSS score. I know we've added KEV; but we will need to add EPSS to the report.
One of my checks failed due to CVE-2024-8391 being above my threshold of 7. Yet, when I checked https://nvd.nist.gov/vuln/detail/CVE-2024-8391 I saw the score reported as 6.9. Only at second glance did I realize the mismatch between the CVSS 4 score (6.9) and the CVSS 3.1 score (7.5).
This made me wonder which score DependencyCheck considers; never thought about this before.
I checked the documentation as well as the Maven plugin docs and didn't see my question answered.