Which CVE score is used for scoring and can it be customized?

[ddillard]

This is probably down in the weeds for where this project is now, but how do you handle CVEs that have multiple scores, e.g. one from NVD and one from the CNA? Can I customize what score is used in those situations?

Example: CVE-2021-23574 has a score from the NVD of 9.8. The score from the CNA (Snyk in this case) is 7.5. Which score is used?

Also, I can see it being useful to customize which score gets used. Personally, I'd use the CNA score as the CNA is closer to the issue and thus should have a better understanding of it. NVD scoring may be different because the CNA didn't provide enough details to justify its score (I've seen that happen with CVEs I've submitted). But, maybe someone else trusts the NVD more and wants to use its score. Or maybe someone wants to be extra cautious and use the higher score or conversely maybe they want to be more "practical" and use the lower score.

[namtarb]

Thanks for bringing this to our attention, and the team can definitely see how this would be a valuable feature. We are currently only looking at NVD for vulnerabilities. For a given vulnerability that is already present within the DaggerBoard database, you can manually update the details. There has not been much discussion around customizing the source for gathering vulnerabilities, though it appears that this information could be obtained through CVMAP. We are open to further discussion and contributions.

[ddillard]

Thanks, that's pretty much what I expected. One thing though, you say you're only looking at NVD for vulnerabilities, however both the Mitre score and the CNA score are provided in the data from NVD (at least when those scores differ). You can see that in the example I cited above.

[namtarb]

We are aware that both scores are provided, however only support using the score from MITRE at this time. We are open to contributions while the team works on other features on the Daggerboard roadmap.