Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVSS 3.1 vs. 4 (example CVE-2024-8391) #6968

Open
marcelstoer opened this issue Sep 16, 2024 · 3 comments
Open

CVSS 3.1 vs. 4 (example CVE-2024-8391) #6968

marcelstoer opened this issue Sep 16, 2024 · 3 comments
Labels
enhancement question

Comments

@marcelstoer
Copy link
Contributor

marcelstoer commented Sep 16, 2024
edited
Loading

One of my checks failed due to CVE-2024-8391 being above my threshold of 7. Yet, when I checked https://nvd.nist.gov/vuln/detail/CVE-2024-8391 I saw the score reported as 6.9. Only at second glance did I realize the mismatch between the CVSS 4 score (6.9) and the CVSS 3.1 score (7.5).

This made me wonder which score DependencyCheck considers; never thought about this before.

I checked the documentation as well as the Maven plugin docs and didn't see my question answered.
@aikebah
Copy link
Collaborator

aikebah commented Sep 18, 2024

Currently it uses the threshold for 'any of CVSSv2 score, CVSSv3 score or (if no CVSS score was available on the vulnerability sources) a guesstimated severity translated into a fictive CVSSv2 score (based on its threshold values of low/medium/high/critical) derived from an available textual severity.

CVSS v4 score is currently not taken into account in the comparison on the maven plugin

DependencyCheck/maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

Lines 2680 to 2688 in 9688ad7

final Double cvssV2 = v.getCvssV2() != null && v.getCvssV2().getCvssData() != null && v.getCvssV2().getCvssData().getBaseScore() != null ? v.getCvssV2().getCvssData().getBaseScore() : -1;
final Double cvssV3 = v.getCvssV3() != null && v.getCvssV3().getCvssData() != null && v.getCvssV3().getCvssData().getBaseScore() != null ? v.getCvssV3().getCvssData().getBaseScore() : -1;
final Double unscoredCvss = v.getUnscoredSeverity() != null ? SeverityUtil.estimateCvssV2(v.getUnscoredSeverity()) : -1;
if (failBuildOnAnyVulnerability || cvssV2 >= failBuildOnCVSS
|| cvssV3 >= failBuildOnCVSS
|| unscoredCvss >= failBuildOnCVSS
//safety net to fail on any if for some reason the above misses on 0
|| (failBuildOnCVSS <= 0.0)) {

is the condition that currently makes the build-breakage-or-not decision for the maven plugin

@marcelstoer
Copy link
Contributor Author

marcelstoer commented Sep 19, 2024
edited
Loading

Thanks! My assumption that "the newer the CVSS, the more precise its score" is not correct then? Or, is it correct but not correctly reflected in the code?

I would have expected the code to consider the CVSS score in descending order. If there's a CVSS 4 score, take that one. If not, look for 3.1 and so on.

@jeremylong
Copy link
Owner

While the CVSS scores are imported now - we haven't updated the code to include them in the calculation yet. It is on the list of things to do.

Honestly, I care less about the score and more about things like - is the CVE on the Known Exploited Vulnerability Catalog and what is the EPSS score. I know we've added KEV; but we will need to add EPSS to the report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marcelstoer @jeremylong @aikebah