CVE severity is based on CVSS v2 score

[Vinay]

Hi,

Though Clair fetches both CVSS v2 & v3 scores from NVD, it only uses v2 scores to compute severity. Please refer to Issue 843.

I've the following questions.

1) Why CVSS v3 scores are not considered for determining the severity?

2) What are the implications of using CVSS v3 scores?

     From some of the blogs, I understand that a lot of CVEs that were earlier classified as Medium will now be classified as High/Critical. Reference https://www.balbix.com/insights/cvss-v2-vs-cvss-v3/

Any other implications?

3) Is there any plan to use CVSS v3 scores in Clair (v2 or v4)?

Would appreciate responses / pointers to above queries.

Thanks,

Vinay

[Hank Donnay]

Hello,

On Mon, Sep 14, 2020 at 01:18:56AM -0700, Vinay wrote:
>I've the following questions.
>1) Why CVSS v3 scores are not considered for determining the severity?

I haven't looked at the Clair v2 code or commit history, but I would
imagine at the time only CVSSv2 scores existed or were deemed more
reliable.

>2) What are the implications of using CVSS v3 scores?

I don't know.

>3) Is there any plan to use CVSS v3 scores in Clair (v2 or v4)?

In Clair v4, we're at least starting with ingesting "higher level"
security information, such as the Red Hat Security Advisory or Ubuntu
Security Notice databases. The reasons for that are a bit long, but it
boils down to letting distribution publishers do the package ↔
vulnerability mapping.

-hank