VCIO does not collect some Severity (cvssv3.1) scores for a CVE #1238
Comments
|
@mjherzog @TG1999 @johnmhoran Is this issue available for contribution?
|
|
@ambuj-1211
@mjherzog would you have a few examples of such PURLs and vulnerabilities on hand? @ambuj-1211 to pick a fix you would first nee to find out why and what happened. |
|
Let's tackle this in four steps:
create Python or SQL query that finds vulnerabilities with severity information but lacking a CVSSv3 score. We'll prioritize focusing on recent vulnerabilities,
randomly sample a subset of these vulnerabilities and manually search for their missing CVSSv3 scores on public resources like the National Vulnerability Database (NVD).
|
correct me if I am wrong, for this I need to make a func in models.py and call it using custom management command? |
|
@ambuj-1211 No, just a Django or SQL query like this : |
|
@ambuj-1211 gentle ping. Are you looking to complete this? |
|
@pombredanne yes have done some work on this and will try to complete it soon. |
For a recent Vulnerability report of approximately 250 purl-CVE vulnerabilty combinations almost half were missing a Severity score (field value = NA) which is a critical deficiency for prioritizing investigation or remediation of vulnerabilities. A few cases are legitimate because the CVE has been rejected - see #1221, but in the other cases I checked there is one or more cvssv3.1 scores in the NVD (NIST:NVD and/or CNA: Google etc.). In a few cases it appear the the original CVE record did not have a cvssv3.1 value but in most cases the cvssv3.1 data is part of the original record based on the Change History. Note the cvssv3.1 data is the set of metrics not the derived numeric score.
We need to improve our CVE data collection to ensure that we capture the current Severity data and enable some tracking for adding Severity data if it was not available when we first collected a CVE or changed after we collected it.
The text was updated successfully, but these errors were encountered: