OSV: further refinement needed to vulnerability severity feature #22239
Closed
setchy
started this conversation in
Suggest an Idea
Replies: 1 comment 2 replies
-
@JamieMagee @viceice @secustor - appreciate your thoughts on how best to handle the above 😄 |
Beta Was this translation helpful? Give feedback.
2 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Type of discussion.
I'm proposing an idea
Tell us more.
We've been using #21939 for several days now across our org, and I've observed the following two scenarios that need additionally handling (happy to do so via a PR once we reach consensus on way forward)
I updated https://github.com/setchy/renovate-demo-osv-severity to demonstrate the following
Observation 1 -
MEDIUM
+MODERATE
Both
MEDIUM
andMODERATE
can be valid severity ratingsMEDIUM
: manual close - Update dependency karma to v6 [SECURITY-MEDIUM] setchy/renovate-demo-osv-severity#7MODERATE
: manual close - Update dependency org.springframework:spring-web to v6 [SECURITY-MODERATE] setchy/renovate-demo-osv-severity#8Should we
My recommendation would be to support both, but keen to hear input from others.
Observation 2 -
Unknown severity
vulnerabilitySeverity
vulnerabilitySeverity
toUNKNOWN
and update sort logic accordinglyBeta Was this translation helpful? Give feedback.
All reactions