OSV: further refinement needed to vulnerability severity feature

[setchy]

Type of discussion.

I'm proposing an idea

Tell us more.

We've been using #21939 for several days now across our org, and I've observed the following two scenarios that need additionally handling (happy to do so via a PR once we reach consensus on way forward)

I updated https://github.com/setchy/renovate-demo-osv-severity to demonstrate the following

Observation 1 - MEDIUM + MODERATE

• Both MEDIUM and MODERATE can be valid severity ratings

  • MEDIUM: manual close - Update dependency karma to v6 [SECURITY-MEDIUM] setchy/renovate-demo-osv-severity#7
  • MODERATE: manual close - Update dependency org.springframework:spring-web to v6 [SECURITY-MODERATE] setchy/renovate-demo-osv-severity#8

• Should we

  • support both of these severity types (ie: the native severity rating from the osv database)?
  • Or, should we normalize these to a common value?

• My recommendation would be to support both, but keen to hear input from others.

Observation 2 - Unknown severity

• For updates that have an Unknown severity, we currently don't set a vulnerabilitySeverity
• Example: manual close - Update dependency pandas to v1 [SECURITY-] setchy/renovate-demo-osv-severity#9
• Proposal: set vulnerabilitySeverity to UNKNOWN and update sort logic accordingly

[setchy]

@JamieMagee @viceice @secustor - appreciate your thoughts on how best to handle the above 😄

[JamieMagee]

For your first point, I agree that supporting both might be easier. Extending this map to include MEDIUM is simple.

For your second point, I agree that adding UNKNOWN is the best approach, but where do you sort them? My gut feeling is higher than CRITICAL. If we were to sort them lower than LOW, or in the middle at MEDIUM/MODERATE there might be a false sense of security.

[setchy]

Excellent - here's one i prepared earlier #22257