DependencyCheck
DependencyCheck copied to clipboard
jeremylong
Give an option to suppress vulnerabilities without a CVSS score.
Like in the examples, we use a suppression rule that suppresses all vulnerablities below a CVSS score of 7. Our company policy demands that we handle every vulnerability by upgrading the library, adding a suppression rule or by other means.
But oftentimes when there is a new vulnerability, it doesn't have a score yet and we investigate it, only for the vulnerability to receive a score below 7 later on, meaning we could have dismissed it already at the beginning.
Could it be possible to have a suppression rule to suppress all unscored vulnerabilities? That would help us a lot.
Thanks for looking into it!
I'd need to see some substantial proof for 'oftentimes' to even lightly consider this as an available option, but strongly discouraged practice, as in my exeprience most CVEs start off with a CVSS- or textual rating rather than no rating at all.
If no vulnerability severity rating is available to triage the issue on you should triage yourself and assume for the worst case (CVSS 10) until proven otherwise.
@aikebah You're right. Unfortunately, the case where a CVE was unscored and later on received a score below 7 happened much more often. I guess a more severe or critical CVE will get its score much faster.
Now I just discovered the new CVE-2024-29180 in webpack-dev-middleware with Dependabot in our project. It has a 7.4 score in GHSA but no score in the NVD, so I would have expected it to be listed in our ODC report, but it's not there. We're still on ODC version 8.2.1 (sry should have mentioned it above) so the change in behavior is not with ODC I think.
Do you know if something changed regarding the databases?
However, I still want to provide examples where a CVE was unscored at first, sometimes with no textual description to help triage, or links to actually understand the problem. (You can see it in the change history at NVD)
https://nvd.nist.gov/vuln/detail/CVE-2023-45857 (unscored for 8 days, then 6.5) https://nvd.nist.gov/vuln/detail/CVE-2023-44270 (unscored for 12 days, then 5.3) https://nvd.nist.gov/vuln/detail/CVE-2023-46298 (unscored for 6 days, then 7.5)