[feature] composer audit add severity

[homersimpsons]

My composer.json:

{
    "name": "analysec/vulnerable-1",
    "require": {
        "symfony/symfony": "5.3.11"
    },
    "minimum-stability": "dev"
}

Output of composer diagnose:

(not relevant)

When I run this command:

composer audit
composer audit --format=json

I get the following output:

{
    "advisories": {
        "symfony/symfony": {
            "0": {
                "advisoryId": "PKSA-x3kp-hpzz-4th3",
                "packageName": "symfony/symfony",
                "affectedVersions": ">=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6",
                "title": "CVE-2022-24894: Prevent storing cookie headers in HttpCache",
                "cve": "CVE-2022-24894",
                "link": "https://symfony.com/cve-2022-24894",
                "reportedAt": "2023-02-01T08:00:00+00:00",
                "sources": [
                    {
                        "name": "GitHub",
                        "remoteId": "GHSA-h7vf-5wrv-9fhv"
                    },
                    {
                        "name": "FriendsOfPHP/security-advisories",
                        "remoteId": "symfony/symfony/CVE-2022-24894.yaml"
                    }
                ]
            },
            "1": {
                "advisoryId": "PKSA-53qn-v9cx-yn6c",
                "packageName": "symfony/symfony",
                "affectedVersions": ">=2.0.0,<2.1.0|>=2.1.0,<2.2.0|>=2.2.0,<2.3.0|>=2.3.0,<2.4.0|>=2.4.0,<2.5.0|>=2.5.0,<2.6.0|>=2.6.0,<2.7.0|>=2.7.0,<2.8.0|>=2.8.0,<3.0.0|>=3.0.0,<3.1.0|>=3.1.0,<3.2.0|>=3.2.0,<3.3.0|>=3.3.0,<3.4.0|>=3.4.0,<4.0.0|>=4.0.0,<4.1.0|>=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.50|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.4.0|>=5.4.0,<5.4.20|>=6.0.0,<6.0.20|>=6.1.0,<6.1.12|>=6.2.0,<6.2.6",
                "title": "CVE-2022-24895: Possible CSRF token fixation",
                "cve": "CVE-2022-24895",
                "link": "https://symfony.com/cve-2022-24895",
                "reportedAt": "2023-02-01T08:00:00+00:00",
                "sources": [
                    {
                        "name": "GitHub",
                        "remoteId": "GHSA-3gv2-29qc-v67m"
                    },
                    {
                        "name": "FriendsOfPHP/security-advisories",
                        "remoteId": "symfony/symfony/CVE-2022-24895.yaml"
                    }
                ]
            },
            "5": {
                "advisoryId": "PKSA-t1qj-5z4b-g31v",
                "packageName": "symfony/symfony",
                "affectedVersions": ">=4.1.0,<4.2.0|>=4.2.0,<4.3.0|>=4.3.0,<4.4.0|>=4.4.0,<4.4.35|>=5.0.0,<5.1.0|>=5.1.0,<5.2.0|>=5.2.0,<5.3.0|>=5.3.0,<5.3.12",
                "title": "CVE-2021-41270: Prevent CSV Injection via formulas",
                "cve": "CVE-2021-41270",
                "link": "https://symfony.com/cve-2021-41270",
                "reportedAt": "2021-11-15T10:47:04+00:00",
                "sources": [
                    {
                        "name": "FriendsOfPHP/security-advisories",
                        "remoteId": "symfony/symfony/CVE-2021-41270.yaml"
                    }
                ]
            },
            "6": {
                "advisoryId": "PKSA-wchw-45cr-1ddn",
                "packageName": "symfony/symfony",
                "affectedVersions": ">=5.3.0,<5.3.12",
                "title": "CVE-2021-41268: Remember me cookie persistance after password changes",
                "cve": "CVE-2021-41268",
                "link": "https://symfony.com/cve-2021-41268",
                "reportedAt": "2021-10-23T11:11:11+00:00",
                "sources": [
                    {
                        "name": "FriendsOfPHP/security-advisories",
                        "remoteId": "symfony/symfony/CVE-2021-41268.yaml"
                    }
                ]
            },
            "7": {
                "advisoryId": "PKSA-2dmf-r1fg-t642",
                "packageName": "symfony/symfony",
                "affectedVersions": ">=5.2.0,<5.3.0|>=5.3.0,<5.3.12",
                "title": "CVE-2021-41267: Webcache Poisoning via X-Forwarded-Prefix and sub-request",
                "cve": "CVE-2021-41267",
                "link": "https://symfony.com/cve-2021-41267",
                "reportedAt": "2021-10-09T12:10:44+00:00",
                "sources": [
                    {
                        "name": "FriendsOfPHP/security-advisories",
                        "remoteId": "symfony/symfony/CVE-2021-41267.yaml"
                    }
                ]
            }
        }
    }
}

And I expected this to happen:

Have a "severity" field to help me decide wether I want to fix this or not.

Additional details

• npm / yarn does report severity: https://docs.npmjs.com/cli/v9/commands/npm-audit https://classic.yarnpkg.com/lang/en/docs/cli/audit/
• it may be a data issue to as packagist does not report severity (yet?) https://packagist.org/apidoc#list-security-advisories
• It may be possible to gather the security from other sources, for instance we can read the baseSeverity here for the above output https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2022-24894

[Seldaek]

I think the main reason this isn't included is that https://github.com/FriendsOfPHP/security-advisories which was our initial data source has no severity listed. Github does though so we should probably improve this. Good catch.