Augment output with CVSS information.

[themenucha]

Unfortunately, CVSS information is missing. This information could be very helpful in vulnerability management process.

[oliverchang]

Hi!

Some sources do have CVSS information, but this is an optional field in the OSV schema and only some of our DBs currently export this information.

We could potentially augment and provide this based on finding matching alias CVEs once we have NVD DB coverage (#783).

@andrewpollock thoughts?

[andrewpollock]

Yep, I think given this information is available in CVE, we should populate it in the resultant OSV record.

[oliverchang]

I think this issue belongs better in osv-scanner.

The CVSS score can be added dynamically in the osv-scanner output, based on the grouped matches. We aren't able to modify entries from other sources.

[andrewpollock]

I'm thinking we're talking about two separate uses of CVSS.

I was thinking about including CVSS in the OSV records that are converted from CVEs.

I'm beginning to suspect based on your most recent comment, that you're talking about including CVSS scores in the output from OSV Scanner?

[oliverchang]

Yep! This issue was originally in the OSV-Scanner repo, so this issue is indeed about that. Once we have NVD coverage we could potentially augment the output of OSV-Scanner based on aliases.

[mindriven]

Hi, did this go anywhere? I would really love to see this one implemented.

[andrewpollock]

I took a look at the data to get a sense of what the current severity availability was like:

AlmaLinux     : 0.00%
AlmaLinux:8   : 0.00%
AlmaLinux:9   : 0.00%
Alpine        : 0.00%
Alpine:v3.10  : 0.00%
Alpine:v3.11  : 0.00%
Alpine:v3.12  : 0.00%
Alpine:v3.13  : 0.00%
Alpine:v3.14  : 0.00%
Alpine:v3.15  : 0.00%
Alpine:v3.16  : 0.00%
Alpine:v3.17  : 0.00%
Alpine:v3.2   : 0.00%
Alpine:v3.3   : 0.00%
Alpine:v3.4   : 0.00%
Alpine:v3.5   : 0.00%
Alpine:v3.6   : 0.00%
Alpine:v3.7   : 0.00%
Alpine:v3.8   : 0.00%
Alpine:v3.9   : 0.00%
Android       : 0.00%
Debian        : 0.00%
Debian:10     : 0.00%
Debian:11     : 0.00%
Debian:3.0    : 0.00%
Debian:3.1    : 0.00%
Debian:4.0    : 0.00%
Debian:5.0    : 0.00%
Debian:6.0    : 0.00%
Debian:7      : 0.00%
Debian:8      : 0.00%
Debian:9      : 0.00%
GSD           : 0.00%
GitHub Actions: 100.00%
Go            : 67.39%
Hex           : 71.43%
Linux         : 0.00%
Maven         : 89.88%
NuGet         : 91.21%
OSS-Fuzz      : 0.00%
Packagist     : 89.69%
Pub           : 60.00%
PyPI          : 37.03%
Rocky Linux   : 95.01%
Rocky Linux:8 : 96.34%
Rocky Linux:9 : 89.02%
RubyGems      : 63.62%
UVI           : 0.00%
crates.io     : 64.27%
npm           : 67.19%

I'm not actively working on OSV Scanner features, so I won't keep this assigned to me. (I'm working on google/osv.dev#783, and will be including CVSS information in the OSV records converted, although those records won't have an ecosystem)

[github-actions]

This issue has not had any activity for 60 days and will be automatically closed in two weeks

[tomislacker]

Posting to keep this open as it may be helpful for others.