Allow recording an overridden severity level for an advisory #51
Labels
enhancement
New feature or request
Comments
|
Discussed with @raboof Request:
Response returns all issues that have status other than [
{
"id": "NIXPKGS-1234-12345",
"cve": [ "CVE-1234-12345", "CVE-4321-54321" ],
"status": "WONTFIX",
},
{
"id": "NIXPKGS-1234-12346",
"cve": [ "CVE-1234-12346", "CVE-4321-54328" ],
"status": "WONTFIX",
}
] |
|
Implemented in the local scanner in Nix-Security-WG/nix-security-tracker#125 🎉 |
fricklerhandwerk
transferred this issue from Nix-Security-WG/nix-local-security-scanner
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As encountered in the example of #22, there might be situations where we disagree with the severity rating provided with an advisory (in this case: the CVSS score of MEDIUM). As CVSS can be restrictive in how it assigns severity ratings, we might want to introduce a text-based severity rating of our own (like low/moderate/important/critical).
For the API, it would be sufficient to encode this as simple
advisory id, severitypairs, as in the vast majority of cases an advisory will have the same severity regardless of the version of the affected package. This keeps the data volume of the information to be shared low.An example would be:
CVE-2023-38253 low.Since this can be so compact the online tracker could provide all this data as a single bulk endpoint, so instead of having to do many requests the local tool can just get all overridden severities in a single request and cache that knowledge.
The text was updated successfully, but these errors were encountered: