Open laurentsimon opened 3 years ago
@oliverchang is this something you could do for q4?
Severity isn't actually a standard part of the schema, as it's hard to define a standardized value that makes sense for all ecosystems. There's also debate on if a severity value is generally that useful at all -- a real severity to a user depends on they they use it.
agreed on the context being important from a dependent's point of view. For the repo owner, severity helps with prioritization and could have been useful. Any thoughts on how we could make the check more granular?
Stale issue message
another idea around improving the vulnerability check is the following. Since scorecard always works at HEAD for a repo, it's likely all repos have their OSV/CVE vulnerabilities fixed at HEAD on main. I think we need a way to assess existing vulnerabilities, and the time it take to be fixed. Some examples:
cc @scovetta
There is also https://docs.github.com/en/rest/reference/code-scanning that we may use to retrieve existing vulnerabilities from scanners
This issue is stale because it has been open for 60 days with no activity.
[...] We could also take the time the vulnerabilities have been present for. Bit I think this complicates too much and I'm not sure it helps.
It would most certainly help. A critical vulnerability which is fixed before shipping should have less weight than a vulnerability a tenth as severe but for which a fix is only released a year after it's disclosed that it affects the current version (and it starts being exploited).
Thank you for reporting
Severity isn't actually a standard part of the schema, as it's hard to define a standardized value that makes sense for all ecosystems. There's also debate on if a severity value is generally that useful at all -- a real severity to a user depends on they they use it.
Issue importance is very hard to model. Indeed, impact on individual A can be orders of magnitude the impact on individual B. Even if we could consider individual importance to each user, the model would still be imperfect until it would consider that each user's usage changes over time.
None of this is reason enough to ignore importance. If we refused to estimate importance, computing would be little more than a curiosity.
We should make the
Vulnerabilities
check more granular by taking into account the severity of the vulnerabilities. Example: Critical vulnerabilities -> score -= 10 High -> score -= 7 Medium -> score -= 2 Low -> score -= 1Suggestions welcome. We could also take the time the vulnerabilities have been present for. Bit I think this complicates too much and I'm not sure it helps.