vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Add advisory quality scoring to VCIO

Open TG1999 opened this issue 3 years ago • 3 comments

We need a way to score the reliability of advisories, since multiple advisories for the same vulnerability may differ in significant details.

First step is to identify the scoring criteria, and provide a weighting for each element.

TG1999 avatar Dec 06 '22 16:12 TG1999

A good way to get moving on this would be to examine some examples of advisory conflicts. Would anyone like to suggest specific cases?

DennisClark avatar Dec 06 '22 16:12 DennisClark

@DennisClark https://github.com/advisories/GHSA-r8f7-9pfq-mjmv and https://nvd.nist.gov/vuln/detail/CVE-2020-24025 , GHSA identifies >= 2.0.0, < 7.0.0 as affected versions, whereas NVD identifies >=2.0.0 , <=4.14.1

TG1999 avatar Dec 06 '22 19:12 TG1999

thanks @TG1999 Looking at both, i think there are at least two elements we can consider for scoring:

  • Patched (or Fixing) Version Identified. True/False value where True would have a positive weight, perhaps a 10.
  • Current Information. True/False value where True would have a positive weight, perhaps a 20. This would be determined if the last updated date (or last commit date) is in the past 30 days OR a fixing version is identified.

It is interesting (and surprising actually) that the NVD example is quite obsolete, based on the dates available on the posting, which helps to explain why it provides a narrower version range, making the GHSA example more reliable in this specific case.

DennisClark avatar Dec 06 '22 20:12 DennisClark

I think that the functionality described in this enhancement overlaps a good deal with the work we have already done on Risk, Exploitability, and Weighted Severity scoring. Closing.

DennisClark avatar Apr 02 '25 22:04 DennisClark