-
Notifications
You must be signed in to change notification settings - Fork 202
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Provide min_score
and max_score
values in the Package API endpoint
#1573
Comments
@TG1999 @keshav-space could you provide some feedback in the implementation of this one? |
Here are a few thoughts on this issue:
You can see more details in these:
With all this said, this issue is not easy to handle. {
"count": 1,
"next": null,
"previous": null,
"results": [
{
"url": "http://public.vulnerablecode.io/api/packages/106428",
"purl": "pkg:openssl/[email protected]",
"type": "openssl",
"namespace": "",
"name": "openssl",
"version": "1.1.1m",
"qualifiers": {},
"subpath": "",
"is_vulnerable": true,
"next_non_vulnerable_version": "1.1.1q",
"latest_non_vulnerable_version": "3.0.7",
"affected_by_vulnerabilities": [
{
"url": "http://public.vulnerablecode.io/api/vulnerabilities/198463",
"vulnerability_id": "VCID-5khv-27u8-aaaa",
"summary": "",
"references": [
{
"reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2097.json",
"reference_id": "",
"reference_type": "",
"scores": [
{
"value": "5.3",
"scoring_system": "cvssv3",
"scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
}
],
"url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2097.json"
},
{
"reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2097",
"reference_id": "",
"reference_type": "",
"scores": [
{
"value": "0.00598",
"scoring_system": "epss",
"scoring_elements": "0.78810",
"published_at": "2024-10-28T00:00:00Z"
}
],
"url": "https://api.first.org/data/v1/epss?cve=CVE-2022-2097"
},
{
"reference_url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf",
"reference_id": "",
"reference_type": "",
"scores": [
{
"value": "9.1",
"scoring_system": "cvssv3.1",
"scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
},
{
"value": "CRITICAL",
"scoring_system": "generic_textual",
"scoring_elements": ""
}
],
"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf"
},
{
"reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097",
"reference_id": "",
"reference_type": "",
"scores": [],
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097"
},
{
... There you can see how the structures is driven from references. Furthermore, with the scores like EPSS, we cannot/do not have anymore a normalized value range: EPSS is a float "0.00598" and I cannot find a way to compare that in a range with a CVSS of 9.1 I do not think going forward that a scores range make sense anymore. Instead we should discuss how to handle each scoring system separately, and eventually in the future we will likely have very scores of the same system for a given PURL, since we will bring this down at the Advisory-Package level We should in all case also wait for the updated API endpoint merge that is in #1631 An important question: is this in the context of CRAVEX? Let's try to find a way to integrate the score data the best for this, and expose the correct API, but in earnest min/max scores feels like a dead end. |
A "range string" is not an actional data point, it's not conveniant to be used for sorting, filtering, etc...
A better data in the API would be the
min_score
andmax_score
, as the range string can easily be computed from those 2.We want to make sure this is available in the bulk_search as well.
The text was updated successfully, but these errors were encountered: