osv-scanner icon indicating copy to clipboard operation
osv-scanner copied to clipboard

Published 20 hours ago verified publisher icon google

Augment output with CVSS information.

Open themenucha opened this issue 2 years ago • 9 comments

Unfortunately, CVSS information is missing. This information could be very helpful in vulnerability management process.

themenucha avatar Dec 22 '22 12:12 themenucha

Hi!

Some sources do have CVSS information, but this is an optional field in the OSV schema and only some of our DBs currently export this information.

We could potentially augment and provide this based on finding matching alias CVEs once we have NVD DB coverage (#783).

@andrewpollock thoughts?

oliverchang avatar Jan 05 '23 06:01 oliverchang

Yep, I think given this information is available in CVE, we should populate it in the resultant OSV record.

andrewpollock avatar Jan 06 '23 00:01 andrewpollock

I think this issue belongs better in osv-scanner.

The CVSS score can be added dynamically in the osv-scanner output, based on the grouped matches. We aren't able to modify entries from other sources.

oliverchang avatar Jan 06 '23 00:01 oliverchang

I'm thinking we're talking about two separate uses of CVSS.

I was thinking about including CVSS in the OSV records that are converted from CVEs.

I'm beginning to suspect based on your most recent comment, that you're talking about including CVSS scores in the output from OSV Scanner?

andrewpollock avatar Jan 08 '23 22:01 andrewpollock

Yep! This issue was originally in the OSV-Scanner repo, so this issue is indeed about that. Once we have NVD coverage we could potentially augment the output of OSV-Scanner based on aliases.

oliverchang avatar Jan 09 '23 01:01 oliverchang

Hi, did this go anywhere? I would really love to see this one implemented.

mindriven avatar May 20 '23 16:05 mindriven

I took a look at the data to get a sense of what the current severity availability was like:

AlmaLinux     : 0.00%
AlmaLinux:8   : 0.00%
AlmaLinux:9   : 0.00%
Alpine        : 0.00%
Alpine:v3.10  : 0.00%
Alpine:v3.11  : 0.00%
Alpine:v3.12  : 0.00%
Alpine:v3.13  : 0.00%
Alpine:v3.14  : 0.00%
Alpine:v3.15  : 0.00%
Alpine:v3.16  : 0.00%
Alpine:v3.17  : 0.00%
Alpine:v3.2   : 0.00%
Alpine:v3.3   : 0.00%
Alpine:v3.4   : 0.00%
Alpine:v3.5   : 0.00%
Alpine:v3.6   : 0.00%
Alpine:v3.7   : 0.00%
Alpine:v3.8   : 0.00%
Alpine:v3.9   : 0.00%
Android       : 0.00%
Debian        : 0.00%
Debian:10     : 0.00%
Debian:11     : 0.00%
Debian:3.0    : 0.00%
Debian:3.1    : 0.00%
Debian:4.0    : 0.00%
Debian:5.0    : 0.00%
Debian:6.0    : 0.00%
Debian:7      : 0.00%
Debian:8      : 0.00%
Debian:9      : 0.00%
GSD           : 0.00%
GitHub Actions: 100.00%
Go            : 67.39%
Hex           : 71.43%
Linux         : 0.00%
Maven         : 89.88%
NuGet         : 91.21%
OSS-Fuzz      : 0.00%
Packagist     : 89.69%
Pub           : 60.00%
PyPI          : 37.03%
Rocky Linux   : 95.01%
Rocky Linux:8 : 96.34%
Rocky Linux:9 : 89.02%
RubyGems      : 63.62%
UVI           : 0.00%
crates.io     : 64.27%
npm           : 67.19%

I'm not actively working on OSV Scanner features, so I won't keep this assigned to me. (I'm working on https://github.com/google/osv.dev/issues/783, and will be including CVSS information in the OSV records converted, although those records won't have an ecosystem)

andrewpollock avatar May 22 '23 05:05 andrewpollock

This issue has not had any activity for 60 days and will be automatically closed in two weeks

github-actions[bot] avatar Jul 25 '24 18:07 github-actions[bot]

Posting to keep this open as it may be helpful for others.

tomislacker avatar Jul 25 '24 18:07 tomislacker