vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard
verified publisher icon nexB

Remove CVSSv2 scores from vulnerablecode

Open TG1999 opened this issue 2 years ago • 4 comments

Reference: https://github.com/nexB/vulnerablecode/issues/889#issuecomment-1518413361 It will be a 3 step process:

  • Mark all advisories with CVSSv2 with a flag so improvers don't process them in the future.
  • Check none of our current importers import cvsssv2 score
  • Writing a migration to remove all CVSSv2 score from the severity table.

TG1999 avatar Apr 25 '23 17:04 TG1999

IMHO we have this alternative:

  1. delete everything about CVSSv2 including advisory and check if there are data sources that provide only CVSSv2 and how we can convert CVSSv2 into CVSSv3
  2. or carry some CVSSv2 in advisories and have flags to avoid reprocessing and have some more code for CVSSv2 here and there

pombredanne avatar May 08 '23 16:05 pombredanne

See also https://security.stackexchange.com/questions/127335/how-to-convert-risk-scores-cvssv1-cvssv2-cvssv3-owasp-risk-severity

pombredanne avatar May 08 '23 16:05 pombredanne

I think I got a really interesting result, take a look at https://www.kaggle.com/code/ziadhany/decision-trees-for-converting-cvss-2-to-3

ziadhany avatar Feb 12 '24 12:02 ziadhany

@pombredanne please have a look on this one!

TG1999 avatar Jul 09 '24 15:07 TG1999