sonatype-nexus-community / scan-gradle-plugin

Gradle plugin that scans the dependencies of a Gradle project using Sonatype platforms: OSS Index and Nexus IQ Server.
Apache License 2.0
77 stars 21 forks source link

Update CVSS Threshold limit #138

Closed shaikhu closed 1 year ago

shaikhu commented 1 year ago

Agreed with the creater of #137. According to cvss spec it looks like high score should be set to 7. image

Ref: https://nvd.nist.gov/vuln-metrics/cvss

It relates to the following issue #s:

cc @bhamail / @DarthHater / @guillermo-varela / @shaikhu

guillermo-varela commented 1 year ago

@shaikhu, do you think we should increment the minor version here? https://github.com/sonatype-nexus-community/scan-gradle-plugin/blob/main/gradle.properties#L18

Changing the assesment of vulnerabilities might have an impact on existing integrations for users, so a change in the minor might serve as an extra "alert" of that.

shaikhu commented 1 year ago

@shaikhu, do you think we should increment the minor version here? https://github.com/sonatype-nexus-community/scan-gradle-plugin/blob/main/gradle.properties#L18

Changing the assesment of vulnerabilities might have an impact on existing integrations for users, so a change in the minor might serve as an extra "alert" of that.

:+1: 3454c7d