search

z-arnott / Vega

0 stars 0 forks source link

Handle CVEs without CVSS #16

Open z-arnott opened 1 year ago

z-arnott commented 1 year ago

Some CVEs may not contain a cvss vector or score.

From NVD API:

metrics optional This object contains information on the CVE's impact. If the CVE has been analyzed, this object will contain any CVSSv2 or CVSSv3 information associated with the vulnerability.

Right now, our system assigns a maximum impact and likelihood to CVEs without a CVSS vector. There could be a better solution.

rhass-uta commented 1 year ago

@z-arnott does that apply to vulnerabilities or were you talking about packages?

rhass-uta commented 1 year ago

Zoe clarified