Skip to content

Add Product Specific CVSS Metrics #486

Description

@silvafilipa

We would like to suggest adding product specific metrics such as cvss score 3.1 and 4.0.
This would allow us to score/describe a vulnerability according to the way our products are actually affected.
We would propose that this information would be placed as a property of each affected entry. Naming would be x_metrics or just metrics, and it would have the same validations as the metrics already present for the cve.
We have also suggested this new property in the sadp pilot: CVEProject/sadp-pilot#13
Example:

   {
      "vendor":"XXXX",
      "product":"Product X",
      "versions":[
         {
            "status":"affected",
            "version":"0",
            "lessThan":"VX",
            "versionType":"custom"
         }
      ],
      "defaultStatus":"unknown",
      "x_metrics":[
         {
            "cvssV3_1":{
               "version":"3.1",
               "vectorString":"CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L",
               "baseScore":5.2,
               "baseSeverity":"MEDIUM"
            }
         },
         {
            "cvssV4_0":{
               "version":"4.0",
               "vectorString":"CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:A/VC:L/VI:N/VA:L/SC:H/SI:N/SA:L",
               "baseScore":2.0,
               "baseSeverity":"LOW"
            }
         }
      ]
   }
]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions