-
Notifications
You must be signed in to change notification settings - Fork 210
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Severity table in the Vulnerability UI would benefit from clarification and normalization #889
Comments
I think we have two closely-related issues then:
In the example above for VULCOID-6P7 the Score values include (1) labels, (2) calculated CVSS numbers, and (3) some string that is probably used to support the scoring, but I don't quite understand it. I think we should always avoid returning the third thing; note that in the case of this row in the sample Severity table (which impacts Celery, btw) VulnerableCode could have actually returned a Score, becuase there is one on the page of the provided nvd.nist link, and that score is
So I think we have both a backend server problem and a presentation problem. Sounds like a job for @johnmhoran perhaps in collaboration with @TG1999 An interesting and important issue to resolve I think. |
Discussion item: it is probably time to focus on CVSS v3 scoring and to drop (completely) CVSS v2 scoring. |
More comments. Following the various links in the VULCOID-6P7 example, it seems to me that we should always try to return the calculated CVSS3 number, followed by its Label, and we should NOT return those "vector" strings. Note that if you follow the links, such as for the last row GHSA-q4xr-rc97-m4xx you will always (at least in my experience) find the "Score" number (0.0 - 10.0), and the Severity "Label" (None, Low, Medium, High, Critical) can be derived from that number. See attached official NIST image. |
Here is some pertinent input from @mjherzog CVSS is owned and managed by FIRST.Org, Inc. (FIRST), a US-based non-profit organization, whose mission is to help computer security incident response teams across the world. The official CVSS documentation can be found at https://www.first.org/cvss/. and more important - https://nvd.nist.gov/general/news/retire-cvss-v2 so we can ignore cvss v2 imho |
CVSS calculation is quite complicated ,so |
Let me reformulate where we are and where we want to go:
|
Two questions:
|
An emerging issue among consumers of VulnerabilityDB data is how best to respond to incoming vulnerability reports (level of urgency, which ones need to be addressed immediately, etc.). The current severity scoring available is not all that consistent. For example, the vulnerabilities for urllib3 (at https://public.vulnerablecode.io/vulnerabilities/VCID-6rq6-hxp1-aaae ) show a bunch of different severity evaluations, including:
So I think that VulnerableCode needs a "severity normalizer" feature or, as @mjherzog suggested, some kind of compositie severity score. |
@TG1999 this issue might make a nice discussion topic at our next VC weekly meeting. |
per @mjherzog "I suspect the best we can do in the short term is to normalize the available security scores by source - in the example above there are 3 sources: NIST/CVE, Red Hat and GitHub where we have one CVE reference from Red Hat repeating the CVE score and others with severity=medium. Since the real world impact of a vulnerability is likely to vary by software context we are best off to narrow the number of scores to one per source. I think that we can also safely exclude csvss2 because it has been deprecated." I think we should construct some kind of mapping to convert the descriptive severity scores to numeric values, something like: |
I am a bit concerned that numbers will convey more precision than there is in the underlying data. So at a minimum we need to avoid fractions. |
alternate approach would be to compute a Range rather than an average. |
please keep the fractions and display them in the severity range |
We should exclude cvssv2 and document why - because these are the deprecated side of redundant data. |
Added issue for same here #1187 |
See issue #1187 . closing this one. |
Please see https://nvd.nist.gov/vuln-metrics/cvss where NIST explains (at great length) how a Severity (CVSS) is calculated.
While looking at https://public.vulnerablecode.io/vulnerabilities/8683
I could not help but wonder about the bewildering range of Severity scores, including totally different terminology.
This is not the fault of VulnerableCode, which is simply returning what it found in the original sources, but the results are still rather difficult for the user to interpret.
Perhaps a link to the NIST page, right after the "Severity" label, would be appropriate here.
The text was updated successfully, but these errors were encountered: