fix: need cvss metrics parser update

[matthew-renodin-bh]

Description

[17:09:53] INFO cve_bin_tool.CVEDB - Adding 886 CVE entries nvd_api.py:187
Downloading Feeds from NVD... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:01
[17:09:54] INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-28319
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-26306
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-27397
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-35966
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-36915
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-40972
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-41042
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-42114

To reproduce

Steps to reproduce the behaviour:

1. set your NVD_API_KEY
2. run cve-bin-tool /app/ -f html -o report/reportx

Expected behaviour:
Actual behaviour:
Fetching incremental metadata from NVD... ━━━━━━━━━━━━━━━━━━━━━━━━━ 0% -:--:--
[17:09:53] INFO cve_bin_tool.CVEDB - Adding 886 CVE entries nvd_api.py:187
Downloading Feeds from NVD... ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% 0:00:01
[17:09:54] INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-28319
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-26306
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-27397
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-35966
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-36915
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-40972
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-41042
INFO cve_bin_tool - Unknown CVSS metrics field nvd_source.py:257
CVE-2024-42114

Version/platform info

Version of CVE-bin-tool( e.g. output of cve-bin-tool --version):
3.3

Installed from pypi or github?
pypi

Operating system: Linux/Windows (other platforms are unsupported but feel free to report issues anyhow)

• On Linux (or Windows Subsystem for Linux) you can run uname -a
• On Windows you can run systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
  Python version (e.g. python3 --version):
  Python 3.10.14

Running in any particular CI environment we should know about? (e.g. Github Actions)

Anything else?

This is a data difference. The code is not handling the newest version from the data.

Feel free to add any other context here.

[terriko]

This has been changed to a debug message so it's going to vanish in 3.4, but it's likely coming up more frequently now because we need to add some cvss v4 support for newer CVEs. I"ll update the title to reflect that.

[anthonyharrison]

I think we also get the message if there is no CVSS score included in the CVE (which is increasingly common since February 2024)

[matthew-renodin-bh]

when this error occurs it appears that it is ignored setting the flag to False

…

On Wed, Aug 21, 2024 at 4:02 AM anthonyharrison ***@***.***> wrote: I think we also get the message if there is no CVSS score included in the CVE (which is increasingly common since February 2024) — Reply to this email directly, view it on GitHub <#4370 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/BKVEW5XWKR6GZOQBZBFSGW3ZSRCQNAVCNFSM6AAAAABM2L4AL6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMBRGQYDMNBQG4> . You are receiving this because you authored the thread.Message ID: ***@***.***>

[terriko]

So, I was completely wrong in my guess about what was happening here to make this message appear more frequently.

We were looking for the (old) "metrics" when we needed to switch to the (new) "impact" when loading the json. I've got a fix incoming that should handle that better.

I've removed the log messages entirely because I'm pretty sure they're going to be spectacularly unhelpful in the future where where the metrics just aren't available, but I feel like we need some better regression tests here to make sure cvss scores get loaded correctly when available.