|
| 1 | +# 00004. Vulnerability scores |
| 2 | + |
| 3 | +Date: 2025-05-06 |
| 4 | + |
| 5 | +## Status |
| 6 | +PROPOSED |
| 7 | + |
| 8 | +## Context |
| 9 | + |
| 10 | +There are various vulnerability scores format versions used in different advisories. The purpose of this document is to summarize all these options and propose what Trustify need to store and return through its endpoints. |
| 11 | + |
| 12 | +## Scores |
| 13 | + |
| 14 | +Common Vulnerability Scoring System (CVSS) scores are used to determine severity of the vulnerabilities. The system evolved over they years, so we have multiple versions of it in use today. |
| 15 | + |
| 16 | +The version 2 was used primarily until late 2015. Since then version 3.0 was mainly used until 2019, when it was upgraded to 3.1. Staring late 2024, CVE project started using CVSS 4.0 version of scoring. |
| 17 | + |
| 18 | +## Advisory format |
| 19 | + |
| 20 | +CVE JSON Schema version 5 and OSV schema that Trustify uses to ingest data from these sources support all aforementioned CVSS score formats. |
| 21 | + |
| 22 | +OSV format supported only v2 and v3 until version 1.6.2 which was released in 2024. Most of the documents Trustify is importing today used 1.4.0 of the OSV schema. |
| 23 | + |
| 24 | +CSAF version 2.0 (still official version), supports only v2 and v3 of CVSS standard, while the support for v4 will be introduced in 2.1 version of the CSAF standard. |
| 25 | + |
| 26 | +## Vulnerability score |
| 27 | + |
| 28 | +As Trustify treat the original CVE record as vulnerability, vulnerability severity and score is what's specified in the CVE file. The value is optional, but it is present in most published records. CVSS version 3 is most dominant for current files, but support for version 4 is important for going forward. Support for version 2 would be good to have for legacy data. |
| 29 | + |
| 30 | +## Advisory scores |
| 31 | + |
| 32 | +Advisories can "override" the original vulnerability score, depending on the further analysis or the context. Both OSV and CSAF support this. Each vulnerability described by the advisory can be attached multiple scores (but that is rare in practice). |
| 33 | + |
| 34 | +There's no rush in supporting CVSS v4 for these standards as they are still not widely used. Again, CVSS v2 would be good to have. |
| 35 | + |
| 36 | +## Aggregate severity |
| 37 | + |
| 38 | +OSV record describes only one CVE vulnerability, while CSAF can describe multiple vulnerabilities in a single document. |
| 39 | + |
| 40 | +That's why CSAF introduces the concept of the "aggregate severity" considering the whole document, providing the useful information on how to deal with the whole advisory. It is independent of the CVSS standard and provides just a textual representation (the usual values are "Critical", "Important", "Moderate"). |
| 41 | + |
| 42 | +For OSV in most cases there is only single score for a single vulnerability, so in that case the severity is just copied from the score. In case there are multiple scores the aggregate can be calculated. There are no fixed way to do this, but getting the highest severity is considered a good practice. |
| 43 | + |
| 44 | +## Endpoints |
| 45 | + |
| 46 | +This is the simplified model of the API components representing scores and severities |
| 47 | + |
| 48 | +```mermaid |
| 49 | +
|
| 50 | +classDiagram |
| 51 | +
|
| 52 | +namespace Score { |
| 53 | + class CVSSScore { |
| 54 | + f64 score |
| 55 | + Severity severity |
| 56 | + } |
| 57 | +
|
| 58 | + class CVSSVector { |
| 59 | + string version |
| 60 | + string vector |
| 61 | + score CVSSScore |
| 62 | + } |
| 63 | +
|
| 64 | + class Severity { |
| 65 | + string text |
| 66 | + uri namespace |
| 67 | + } |
| 68 | +} |
| 69 | +
|
| 70 | +namespace Vulnerability { |
| 71 | + class VulnerabilityHead { |
| 72 | + CVSSScore baseScore |
| 73 | + } |
| 74 | +
|
| 75 | + class VulnerabilityAdvisoryHead { |
| 76 | + AdvisoryHead advisory |
| 77 | + vec[CVSSScore] scores |
| 78 | + } |
| 79 | +
|
| 80 | + class VulnerabilityAdvisorySummary { |
| 81 | + VulnerabilityAdvisoryHead head |
| 82 | + vec[CVSSVector] CVSSVectors |
| 83 | + } |
| 84 | +
|
| 85 | + class VulnerabilitySummary { |
| 86 | + VulnerabilityHead head |
| 87 | + vec[VulnerabilityAdvisoryHead] advisories |
| 88 | + } |
| 89 | +
|
| 90 | + class VulnerabilityDetails { |
| 91 | + VulnerabilityHead head |
| 92 | + vec[VulnerabilityAdvisorySummary] advisories |
| 93 | + } |
| 94 | +} |
| 95 | +
|
| 96 | +namespace Advisory { |
| 97 | + class AdvisoryHead { |
| 98 | + Severity aggregateSeverity |
| 99 | + } |
| 100 | +
|
| 101 | + class AdvisoryVulnerabilityHead { |
| 102 | + VulnerabilityHead |
| 103 | + vec[CVSSScore] scores |
| 104 | + } |
| 105 | +
|
| 106 | + class AdvisoryVulnerabilitySummary { |
| 107 | + AdvisoryVulnerabilityHead head |
| 108 | + vec[CVSSVector] CVSSVectors |
| 109 | + } |
| 110 | +
|
| 111 | + class AdvisorySummary { |
| 112 | + AdvisoryHead head |
| 113 | + vec[AdvisoryVulnerabilityHead] advisories |
| 114 | + } |
| 115 | +
|
| 116 | + class AdvisoryDetails { |
| 117 | + AdvisoryHead head |
| 118 | + vec[AdvisoryVulnerabilitySummary] advisories |
| 119 | + } |
| 120 | +} |
| 121 | +``` |
| 122 | + |
| 123 | +In summary, the "head" objects contain only base and aggregated values for vulnerability and advisory. The "summary" object |
| 124 | +contain list of advisories/vulnerabilities with the list of their scores, while "details" objects contain additionally a list |
| 125 | +of the whole CVSS vector data. The CVSS vector can be returned as an additional component, to help UI/clients avoid the parsing. |
0 commit comments