vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

VCIO does not collect some Severity (cvssv3.1) scores for a CVE

Open mjherzog opened this issue 1 year ago • 7 comments

For a recent Vulnerability report of approximately 250 purl-CVE vulnerabilty combinations almost half were missing a Severity score (field value = NA) which is a critical deficiency for prioritizing investigation or remediation of vulnerabilities. A few cases are legitimate because the CVE has been rejected - see https://github.com/nexB/vulnerablecode/issues/1221, but in the other cases I checked there is one or more cvssv3.1 scores in the NVD (NIST:NVD and/or CNA: Google etc.). In a few cases it appear the the original CVE record did not have a cvssv3.1 value but in most cases the cvssv3.1 data is part of the original record based on the Change History. Note the cvssv3.1 data is the set of metrics not the derived numeric score.

We need to improve our CVE data collection to ensure that we capture the current Severity data and enable some tracking for adding Severity data if it was not available when we first collected a CVE or changed after we collected it.

mjherzog avatar Jul 19 '23 02:07 mjherzog

@mjherzog @TG1999 @johnmhoran Is this issue available for contribution? I have some queries about this issue:

  1. do we need to add a separate script to track the severity scores rather than coding for every single importer.
  2. do we require routine checks to check any kind of update in the severity data.

ambuj-1211 avatar Apr 01 '24 15:04 ambuj-1211

@ambuj-1211 re:

is this issue available for contribution? yes

@mjherzog would you have a few examples of such PURLs and vulnerabilities on hand?

@ambuj-1211 to pick a fix you would first nee to find out why and what happened.

pombredanne avatar Apr 01 '24 16:04 pombredanne

@ambuj-1211

Let's tackle this in four steps:

  • [ ] Identify Missing Scores:

create Python or SQL query that finds vulnerabilities with severity information but lacking a CVSSv3 score. We'll prioritize focusing on recent vulnerabilities, as they're more likely to have a CVSSv3 assigned.

  • [ ] Manual Search:

randomly sample a subset of these vulnerabilities and manually search for their missing CVSSv3 scores on public resources like the National Vulnerability Database (NVD).

  • [ ] Document Findings (Issue Comment) that analyze the causes of missing CVSSv3 scores (importer type, recent discovery, .... ) Analyze why some vulnerabilities lack CVSSv3 scores

  • [ ] Write an improver or importer to get all missing CVSSv3

ziadhany avatar Jun 07 '24 02:06 ziadhany

@ziadhany

create Python or SQL query that finds vulnerabilities with severity information but lacking a CVSSv3 score. We'll prioritize focusing on recent vulnerabilities, as they're more likely to have a CVSSv3 assigned.

correct me if I am wrong, for this I need to make a func in models.py and call it using custom management command?

ambuj-1211 avatar Jun 07 '24 20:06 ambuj-1211

@ambuj-1211 No, just a Django or SQL query like this : https://docs.djangoproject.com/en/5.0/topics/db/queries/#retrieving-specific-objects-with-filters no need to create a custom management command

ziadhany avatar Jun 07 '24 23:06 ziadhany