Support CVSS 4.0 metric ingestion in make_metric #862
Closed
Akshat1000Sharma wants to merge 1 commit intoNixOS:mainfrom
Closed
Support CVSS 4.0 metric ingestion in make_metric #862Akshat1000Sharma wants to merge 1 commit intoNixOS:mainfrom
Akshat1000Sharma wants to merge 1 commit intoNixOS:mainfrom
Conversation
Collaborator
|
Hey @Akshat1000Sharma, seems like you had a race with #857 there. I suggest closing this, as the other one is near the finish line. Also, while your change has a neat version of the algorithm, it doesn't cover display in the front-end, and doesn't have any tests. |
This comment was marked as resolved.
This comment was marked as resolved.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR fixes CVSS metric ingestion for newer CVEs that no longer provide
cvssV3_1.Previously,
make_metricalways attempted to read CVSS data fromcvssV3_1, which caused CVEs that only includecvssV4_0to store an emptyraw_cvss_json. As a result, severity metrics were not shown in the overview.The logic has been updated to select the available CVSS version in priority order (
cvssV4_0->cvssV3_1->cvssV3_0) while respectingdata["format"]if provided. The selected format is stored inctx["format"].This keeps the change minimal and ensures modern CVEs with CVSS 4.0 metrics are ingested correctly.
Fixes #839