DependencyTrack
Support Custom Vulnerability Risk Scores in VEX Import
Current Behavior
Currently, Dependency-Track only considers the analysis section when importing CycloneDX VEX documents, ignoring ratings scores provided in vulnerabilities[].ratings[]. This prevents organizations from sharing evolving ratings and scores in a standardized way.
When importing a VEX document with ratings:
{
"bomFormat": "CycloneDX",
"specVersion": "1.5",
"version": 1,
"vulnerabilities": [
{
"id": "DEBIAN-CVE-XXX",
"source": {
"name" : "OSV"
},
"ratings": [
{
"method": "OWASP",
"score": 5.0,
"severity": "critical"
}
],
"analysis": {
"state": "in_triage",
"detail": "Severity overridden via OWASP Risk Rating (score 5.0 → critical)"
},
"affects": [
{
"ref": "urn:cdx:078c9fd1-d871-4a3f-9820-2dfb5ee3d212/1#pkg:deb/debian/[email protected]%2Bdeb11u1?arch=amd64&distro=debian-11.11"
}
]
}
]
}
Scores are not considered by Dependency-Track
Proposed Behavior
Similar to how analysis.state tracks vulnerability lifecycle changes (e.g., exploitable → resolved), the ratings[].score field should be used to communicate evolving risk assessments as new threat intelligence emerges.
To support this request, I opened an enhancement proposal in the CycloneDX specification to push consumers to process the ratings field.
Checklist
- [x] I have read and understand the contributing guidelines
- [x] I have checked the existing issues for whether this enhancement was already requested
as discussed with @nscuro in Slack
I suggest that we start simple and limit score writing to the OWASP score, which doesn’t come from a remote source or at least gives the organization more control over this score using VEX. In other words, we take a confidence-driven strategy: we consider the most trusted source.
So we eliminate the risk of overriding scores from remote sources (CVSS, EPSS, etc.).