-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVSS 4.0 #715
Comments
Hi @DanielRuf, thanks for making me aware of this. I will have a look into it soon. The mechanics that are relevant for SecObserve seem not to have changed (0-10 and mapping to severities). Will have to update some scanners and rename the cvss fields. |
That sounds good. I'm not sure if renaming fields makes sense. Normally I'm accustomed to having two versions shown in the CVE databases (if provided). I didn't check SecObserve in detail yet, so not sure if currently v2 and v3 CVSS scores are used and supported per entry or if it is just v3. CVSS v4 will lead to different results because of the environmental factor. It will probably take some time until the CVE databases, CNAs and tools add (additional) support for CVSS v4 and they will still use CVSS v2 and v3 as fields. Is it encouraged by SecObserve to use the latest available "stable" CVSS version? |
I will wait until one of the SCA scanners (Trivy, Grype, dependency-check) implements support for CVSS 4. Then we will see, how they put the information in their output and how to use it in SecObserve. Separate fields for v3 and v4 might be a good idea. |
Tomorrow (1st of November) CVSS 4.0 will be published according to the details at https://www.first.org/cvss/v4-0/
What needs to be done to support this?
The text was updated successfully, but these errors were encountered: