Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
Get Severity for PYSEC
17 views
Skip to first unread message
celek ibm
Nov 8, 2023, 10:39:02 AM11/8/23
to clair-dev
Looking at https://api.osv.dev/v1/vulns/PYSEC-2020-224
I see there is no CVSS nor Severity
I see GHSA-fxjm-wvj9-9c39 reference in both
- aliases
- references -> type ADVISORY
If I want to call https://api.osv.dev/v1/vulns/GHSA-fxjm-wvj9-9c39 and extract the CVSS from there - is there any API/call I can use (meaning can I pass the GHSA-fxjm-wvj9-9c39 value and get an advisory back) or should I create a direct call to the URL and parse the JSON myself ?
thanks
Hank Donnay
Nov 8, 2023, 7:18:38 PM11/8/23
to clai...@googlegroups.com
On Wed, Nov 08, 2023 at 07:39:02AM -0800, celek ibm wrote:
>[...]
IDs missing a severity, then do a second pass to attempt resolve
references.
It may not be a good idea to do this, though. For example, if PYSEC does
not assign severities, picking the one that GitHub used for an advisory
describing the same defect wouldn't be correct.
--
hank
>[...]
>If I want to call https://api.osv.dev/v1/vulns/GHSA-fxjm-wvj9-9c39 and
>extract the CVSS from there - is there any API/call I can use (meaning can
>I pass the GHSA-fxjm-wvj9-9c39 value and get an advisory back) or should I
>create a direct call to the URL and parse the JSON myself ?
If both of these are in the same OSV ecosystem, it'd better to note the
>extract the CVSS from there - is there any API/call I can use (meaning can
>I pass the GHSA-fxjm-wvj9-9c39 value and get an advisory back) or should I
>create a direct call to the URL and parse the JSON myself ?
IDs missing a severity, then do a second pass to attempt resolve
references.
It may not be a good idea to do this, though. For example, if PYSEC does
not assign severities, picking the one that GitHub used for an advisory
describing the same defect wouldn't be correct.
--
hank
celek ibm
Nov 9, 2023, 5:43:21 AM11/9/23
to clair-dev
I see what you mean -
So maybe our code should pull the PYSEC, then notice there is no sev, then look for the Aliases if any and decide to collect the severity from them ?
If the Alias is not in the same ecosystem... meaning it is not available in the VULN DB, but avail in OSV... what could be the cause ? (I have no example, just asking)
celek ibm
Nov 9, 2023, 5:50:29 AM11/9/23
to clair-dev
I notice the ALIAS is not saved in the VULN DB - So I wouldn't be able to query them - Is that a possible schema change or should I getthe links, parse them, find which ones look like an alias , extract the ID and then query the vuln for that ID ?
Hank Donnay
Nov 9, 2023, 1:08:20 PM11/9/23
to clai...@googlegroups.com
On Thu, Nov 09, 2023 at 02:50:29AM -0800, celek ibm wrote:
>I notice the ALIAS is not saved in the VULN DB - So I wouldn't be able to
>query them - Is that a possible schema change or should I getthe links,
>parse them, find which ones look like an alias , extract the ID and then
>query the vuln for that ID ?
Correct, the current schema doesn't capture references and doesn't have
>I notice the ALIAS is not saved in the VULN DB - So I wouldn't be able to
>query them - Is that a possible schema change or should I getthe links,
>parse them, find which ones look like an alias , extract the ID and then
>query the vuln for that ID ?
a way to query them. This is a known issue that we're working on, but
it's (hopefully understandbly) involved to rework the database schema.
--
hank
Reply all
Reply to author
Forward
0 new messages