Bug: cvss score is appearing as 0 from certain CVEs

[prabhu]

Expected Behavior

python depscan/cli.py --purl "pkg:npm/zod@3.22.1" --reports-dir /tmp/reports

Actual Behavior

Steps to Reproduce

No response

Additional Information

No response

[prabhu]

The result from npm remote audit has 0 as the score and None as the cvss vectorString

{
  'actions': [
    {
      'isMajor': False,
      'action': 'install',
      'resolves': [
        {
          'id': 1094652,
          'path': 'zod',
          'dev': False,
          'optional': False,
          'bundled': False
        }
      ],
      'module': 'zod',
      'target': '3.22.4'
    }
  ],
  'advisories': {
    '1094652': {
      'findings': [
        {
          'version': '3.22.1',
          'paths': [
            'zod'
          ]
        }
      ],
      'metadata': None,
      'vulnerable_versions': '<=3.22.2',
      'module_name': 'zod',
      'severity': 'low',
      'github_advisory_id': 'GHSA-m95q-7qp3-xv42',
      'cves': [
        'CVE-2023-4316'
      ],
      'access': 'public',
      'patched_versions': '>=3.22.3',
      'cvss': {
        'score': 0,
        'vectorString': None
      },
      'updated': '2023-11-07T05:02:00.000Z',
      'recommendation': 'Upgrade to version 3.22.3 or later',
      'cwe': [
        'CWE-1333'
      ],
      'found_by': None,
      'deleted': None,
      'id': 1094652,
      'references': '- https://nvd.nist.gov/vuln/detail/CVE-2023-4316\n- https://www.npmjs.com/package/zod\n- https://github.com/colinhacks/zod/issues/2609\n- https://github.com/colinhacks/zod/pull/2824\n- https://github.com/colinhacks/zod/commit/2ba00fe2377f4d53947a84b8cdb314a63bbd6dd4\n- https://github.com/colinhacks/zod/releases/tag/v3.22.3\n- https://github.com/advisories/GHSA-m95q-7qp3-xv42',
      'created': '2023-09-28T21:30:58.000Z',
      'reported_by': None,
      'title': 'Zod denial of service vulnerability',
      'npm_advisory_id': None,
      'overview': 'Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.\n\n\n\n',
      'url': 'https://github.com/advisories/GHSA-m95q-7qp3-xv42'
    }
  },
  'muted': [
    
  ],
  'metadata': {
    'vulnerabilities': {
      'info': 0,
      'low': 1,
      'moderate': 0,
      'high': 0,
      'critical': 0
    },
    'dependencies': 1,
    'devDependencies': 0,
    'optionalDependencies': 0,
    'totalDependencies': 1
  }
}

[prabhu]

With the new vdb version, we get 2.0 matching the value with a direct vdb search.

Dependency Scan Results (NPM)
╔════════════════════════════════════════════════════════════╤═════════════════════╤════════════════════════════╤═════════════════════╤══════════════╗
║ CVE                                                        │ Insights            │ Fix Version                │ Severity            │        Score ║
╟────────────────────────────────────────────────────────────┼─────────────────────┼────────────────────────────┼─────────────────────┼──────────────╢
║ zod@3.22.1 ⬅ CVE-2023-4316                                 │                     │ 3.22.3                     │ LOW                 │          2.0 ║
╚════════════════════════════════════════════════════════════╧═════════════════════╧════════════════════════════╧═════════════════════╧══════════════╝

[prabhu]

5.2.10 includes the fix.