You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You seem to to create CVSS v4 scores for some advisories as I found out in #5032.
I condensed the original discussion into this issue.
There are some problem with that, here is a quick recap:
This is only done for certain CVEs, not all
The process how these CVSS v4 values are created is not transparent
There is no (public) documentation that this is done, how this is done and why it is done
Likely no communication with CVE creators / CVSSv4 values do not match CVE descriptions (usually only contains CVSS v3 score explanation)
Created CVSS v4 are not marked as "computed from CVSSv3 by GitHub" or something similar anywhere
Original CVSS score is not used for computing the severity
Please have a look at the original discussion for more details.
Anyway this process seems to result in incorrect scores (some values do not match at all) and incorrect severity values, thus also resulting in False Postives and Negatives in downstream scanners that utilize the database with severity filters.
Subsequent System Impact Metrics seem to be missing
The overall current situation erodes (my) trust in this - security critical - system as distinguishing between correct and incorrect scores is no longer easily possible.
You seem to to create CVSS v4 scores for some advisories as I found out in #5032.
I condensed the original discussion into this issue.
There are some problem with that, here is a quick recap:
severity
Please have a look at the original discussion for more details.
Anyway this process seems to result in incorrect scores (some values do not match at all) and incorrect
severity
values, thus also resulting in False Postives and Negatives in downstream scanners that utilize the database with severity filters.Spontaneously found examples:
severity
)CVE-2024-47535Vulnerable System Impact Metrics
seem to be missingVulnerable System Impact Metrics
seem to be missingSubsequent System Impact Metrics
seem to be missingSubsequent System Impact Metrics
seem to be missingThe overall current situation erodes (my) trust in this - security critical - system as distinguishing between correct and incorrect scores is no longer easily possible.
Further references:
The text was updated successfully, but these errors were encountered: