support cvss 4.0 #1970
Comments
|
Hey @tomersein, are you asking to make sure that if CVSS 4 information is present in records, Grype DB includes this? |
|
Developer note: Look at this library for parsing CVSS: https://github.com/pandatix/go-cvss |
|
yes correct, just want to make sure grype \ vunnel gets and displays this information :) |
|
@wagoodman @kzantow does it make sense to try to do this as part of schema v6? EDIT: we discussed this offline, and this can be done before or after grype db v6, but will require figuring out which providers over in anchore/vunnel can provide cvss v4 data, and wiring it through vunnel and grype-db and adding it to the appropriate structs in grype so that it gets displayed. |
|
I think I'm starting to see this showing up more — e.g. for https://nvd.nist.gov/vuln/detail/CVE-2024-9287, the CNA (the PSF in this case) has marked this as "medium". But in Grype's DB, this record shows its severity as "unknown". I'm guessing that's because there's no non-CVSSv4 data available from NVD? So the net effect is slightly confusing to users who are cross-checking the upstream vuln data source. |
If this doesn't need to wait for v6, and if no one's working on this already, I'd be happy to take a stab at it! Could we start with just NVD for now? |
|
@luhring , I think anchore/grype-db#418 is where you'd need to start. vunnel is already capturing the entirety of the NVD json so grype-db just needs to be updated to parse it and persist to the db and then grype would need to understand how to parse and present it |
|
Okay perfect — yeah that looks like a subtask of this issue. I'll take a look! |
What would you like to be added:
hello!
NVD announced they support cvss 4.0
will grype support it?
https://nvd.nist.gov/general/news/cvss-v4-0-official-support
thanks!
Why is this needed:
be updated to the newest cvss
Additional context:
The text was updated successfully, but these errors were encountered: