You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/cnvd-severity-improvements.md
+31-5Lines changed: 31 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -52,10 +52,34 @@ The model card is now a template (`model_card_cnvd_severity.md`) populated with
52
52
53
53
### Known limitations documented
54
54
55
-
- Low severity recall (~41%)
56
-
- Keyword dependency (accuracy drops from ~89% to ~55% on atypical-severity entries)
57
-
- Negation blindness
58
-
- CVE overlap (81% of CNVD entries have a CVE equivalent)
55
+
The model card now documents:
56
+
57
+
-**Low severity recall (~41%)**: ~60% of Low entries are misclassified as Medium due to vocabulary overlap. All weighting strategies degrade Medium recall disproportionately.
58
+
-**Keyword dependency**: the model biases toward a vulnerability type's typical severity. Accuracy drops from ~89% to ~55% on atypical-severity entries.
59
+
-**Negation blindness**: "does NOT allow RCE" still predicts High with high confidence.
60
+
-**CVE overlap**: 81% of CNVD entries have a CVE equivalent. The model primarily adds value for the ~19% CNVD-only entries.
61
+
62
+
These findings align with independent results from [CyberScale Phase 1](https://github.com/eromang/researches/blob/main/CyberScale/docs/lessons-learned.md) (Point 29), which plateaued at ~62% band accuracy on a 4-class CVSS classifier using ModernBERT-base with similar approaches (CWE enrichment, multi-task heads, CPE features — none moving the needle beyond ~2pp).
63
+
64
+
## Dataset improvements
65
+
66
+
### CVE cross-references
67
+
68
+
The `extract_cnvd` function now extracts the `cve_id` field from `cves.cve.cveNumber` in the raw CNVD JSON. This enables users to cross-reference CNVD entries with their CVE equivalents and filter CNVD-only entries.
69
+
70
+
### Dataset card
71
+
72
+
A dataset card (`dataset_card_cnvd.md`) was added documenting:
73
+
74
+
- Field descriptions including the new `cve_id` column
75
+
- CVE overlap rate: 81% overall (68-69% in 2020-2021, 91-97% after 2022)
76
+
- Severity distribution: High ~36%, Medium ~55%, Low ~9%
77
+
- Coverage decline: 94% of reserved IDs published in 2015 → 4% in 2023 (post-RMSV regulations, September 2021)
78
+
- Warning about duplicate descriptions and train/test split leakage
79
+
80
+
## Comparison validator
81
+
82
+
A dedicated validator (`validators/severity_cnvd.py`) was added to evaluate the old and new models side by side on the same deduplicated test set. It reports per-class precision/recall/F1, confusion matrices, and a summary delta table.
59
83
60
84
## Commits
61
85
@@ -70,12 +94,14 @@ The model card is now a template (`model_card_cnvd_severity.md`) populated with
70
94
|`ed2c230`|`--class-weights` flag (none/sqrt/balanced) |
71
95
|`f1cd426`| Focal loss option |
72
96
|`9fa0f86`| Default to uniform loss |
73
-
|`7920361`|Static model card |
97
+
|`7920361`|Model card |
74
98
|`5b2866c`| Dynamic model card from eval metrics |
99
+
|`30f1872`| CVE cross-references and dataset card |
0 commit comments