ENHANCEMENT Include score with reported CVE

[anthonyharrison]

The current reporting of vulnerabilities only includes the severity category (CRITICAL, HIGH, MEDIUM or LOW). It would be useful to include the actual CVSS score as well particularly for vulnerabilities reported using the CVSS 2 scoring which doesn't include the CRITICAL category.

[terriko]

This seems like a really useful enhancement. I think it's easy enough to put a "good first issue" flag on just showing the score (since we already store that), although there's some potential for finesse with showing if it's a cvss v2 score or v3 one which might be harder.

[jerinjtitus]

This seems like a really useful enhancement. I think it's easy enough to put a "good first issue" flag on just showing the score (since we already store that), although there's some potential for finesse with showing if it's a cvss v2 score or v3 one which might be harder.

Can we print the score like: 5 (v2) , under the score column (to be included)

[terriko]

We could, but I think we often want to be able to parse the score as a number (e.g. show me all CVEs with a score greater than 4.) so we probably want that value to be a float that can be compared easily rather than a string. Probably makes sense to have a cvss_version column or whatever they actually call the field in the nvd data.

@anthonyharrison mentioned in our last call that having the full cvss vector string would also be useful for sorting/filtering/digging deeper. We also don't store that right now, but likely could.

[terriko]

Did some digging at @jerinjtitus 's prompting. Short answer: we're storing score in the cve_severity table and cvss_version in cve_range (I'd have to dig through the json for why) and we're using score to filter and adding it to the cve_list, but not displaying it.

I'm going to cut and paste the longer explanation about how I look for this in the code from gitter so it's actually with this bug:

I am currently going through the issue #1026. I had a doubt about the all_cve_data dict. I went through the code and I think I only understand it partially. I wanted to know about it's structure, specifically if it stores score in it.

You can always check what we store by looking at the database directly!

if you want to poke around the database, I usually just use sqlite ~/.cache/cve-bin-tool/cve.db and then do a select on the table I'm interested in.
in this case, that would be cve_severity.

I do it that way because I was a database person a long time ago so that's the way that feels easiest to me, but if you're more of a code person, you can see the create table statements in cvedb.py as well. Here's where that init function starts:

cve-bin-tool/cve_bin_tool/cvedb.py

Line 281 in b3617e2

def init_database(self):

If you dig through there, you can see that we do have a score column, but there's nothing in cve_severity that indicates the cvss version. That might be stored in cve_range
From there, you can follow through and see if we're piping that information up through to what all_cve_data gets.

that's populated by getcves here:
https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/cve_scanner.py#L50

And you can see where we start talking about scores and severities here:
https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/cve_scanner.py#L149

@jerinjtitus So that should be enough to get you started, but if you want a really quick spoiler, look at the comment on this line, which pretty much tells you what you asked: https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/cve_scanner.py#L157

[jerinjtitus]

@jerinjtitus So that should be enough to get you started, but if you want a really quick spoiler, look at the comment on this line, which pretty much tells you what you asked: https://github.com/intel/cve-bin-tool/blob/main/cve_bin_tool/cve_scanner.py#L157

Thanks for the detailed explanation. I did get most of the things but there was still a bit confusion.

If you dig through there, you can see that we do have a score column, but there's nothing in cve_severity that indicates the cvss version. That might be stored in cve_range

I checked for cvss_version, it's stored in cve_severity only.

[terriko]

I'm not sure what I was thinking before, but it makes sense that score and cvss_version would be stored together since the version tells you how the score was defined..

[terriko]

Handled in #1077 which has just been merged.