In this GitHub repository, we collect vulnerability data from two software products: Apache Server (along with its module data) and Linux Kernel (along with its module data). We obtain comprehensive vulnerability information from two well-known vulnerability repositories, CVE and NVD. This information includes Vulnerability ID, publication date, CVSS score, and values of the base, environmental, and temporal metric groups. We have separately analyzed the gathered dataset for each module of these two products.
The primary goal of this research is to analyze vulnerability data in these two products from two different perspectives. Firstly, we investigate whether the historical frequency of vulnerabilities in a module influences the vulnerability severity score in the CVSS (Common Vulnerability Scoring System) formula. Secondly, we conduct an analysis on datasets to determine whether the weighting of criteria in the base metric group, including Attack Vector, Attack Complexity, Privilege Required, and User Interaction, effectively prioritizes vulnerabilities by scoring their severity in the CVSS formula. Notably, our findings suggest that the numerical values for the criteria in the base metric group should not be applied statically to every software product. In other words, we have innovatively demonstrated that the numerical values of the base metric group criteria must be dynamically adjusted for each product individually before being used in the CVSS formula.
Our research centers on analyzing the characteristics of the data related to the criteria of the base metric group for each vulnerability in these two products separately.