vulnerablecode icon indicating copy to clipboard operation
vulnerablecode copied to clipboard

Published 20 hours ago verified publisher icon nexB

Suse scores importer should support version 4

Open nnobelis opened this issue 5 months ago • 8 comments

Given a sample Suse score https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml:

CVE-2024-35255:
  cvss:
    - version: 3.1
      score: 5.5
      vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    - version: 4
      score: 6.8
      vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

The version 4 cvss is not imported because the importer does not support version 4: https://github.com/aboutcode-org/vulnerablecode/blob/ed17dbd5a7537b95faf9ef8d30a95333ffdcb3ca/vulnerabilities/importers/suse_scores.py#L34-L38

Additional questions:

Our VulnerableCode instance contains some weird values for this source:

image

  1. Can the cvssv2 and cvssv3 be old values from previous imports ?
  2. Why the cvsv3.1 has a score of 0 ?
  3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ? https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255

nnobelis avatar Sep 16 '24 12:09 nnobelis