search

nexB / vulnerablecode

A free and open vulnerabilities database and the packages they impact. And the tools to aggregate and correlate these vulnerabilities. Sponsored by NLnet https://nlnet.nl/project/vulnerabilitydatabase/ for https://www.aboutcode.org/ Chat at https://gitter.im/aboutcode-org/vulnerablecode Docs at https://vulnerablecode.readthedocs.org/
https://public.vulnerablecode.io
Apache License 2.0
503 stars 184 forks source link

Add advisory clarity scoring to VCIO #1031

Open TG1999 opened 1 year ago

TG1999 commented 1 year ago

We need a way to score the reliability of advisories, since multiple advisories for the same vulnerability may differ in significant details.

First step is to identify the scoring criteria, and provide a weighting for each element.

DennisClark commented 1 year ago

A good way to get moving on this would be to examine some examples of advisory conflicts. Would anyone like to suggest specific cases?

TG1999 commented 1 year ago

@DennisClark https://github.com/advisories/GHSA-r8f7-9pfq-mjmv and https://nvd.nist.gov/vuln/detail/CVE-2020-24025 , GHSA identifies >= 2.0.0, < 7.0.0 as affected versions, whereas NVD identifies >=2.0.0 , <=4.14.1

DennisClark commented 1 year ago

thanks @TG1999 Looking at both, i think there are at least two elements we can consider for scoring:

It is interesting (and surprising actually) that the NVD example is quite obsolete, based on the dates available on the posting, which helps to explain why it provides a narrower version range, making the GHSA example more reliable in this specific case.