CVSS v4 #37
Comments
|
Currently cvss4 has a draft state (release 2023-10-31). There are some major changes and therefore some effort for this project. Maybe we should implement that code (create merge request) request based on the current draft, to ensure the final changes can be implemented faster? |
Partially true thus partially false: the vector is composed in the same way as for CVSS v3 so the code already exists. Nevertheless, the maths changed and I suggest you wait for the release to implement it (could take a bit of time to implement), as we are still finishing it. EDIT(06th oct. 2023): I choosed to go with with strict ordering as for CVSS v2.0 to be able to build a linear regex. Else it would have been of O(n!) complexity thus not possible to build a regex (it is a current problem of CVSS v3). As you already support it, the code exists. One more point goes to the "wait for the release" 😉 |
|
thank you. I'm too busy with my day job to work on this package at the moment. |
…h the specifications (#651) ## Why this PR [CVSS v4.0](https://www.first.org/cvss/v4-0/) has been released lately, and the OSV will most probably add its support (the first CVSS v4.0 vector known to the FIRST.ORG SIG CVSS has been published [by Palo Alto Networks for the CVE-2023-3282](https://security.paloaltonetworks.com/CVE-2023-3282)). As a FIRST.ORG SIG CVSS member and [Go CVSS implementation](https://github.com/pandatix/go-cvss) maintainer, I'm looking forward to improve its adoption and understanding in the Open-Source Ecosystem. Moreover, there exist issues with the currently used CVSS implementation, such as [invalid scoring computation](goark/go-cvss#33), and [CVSS v4.0 is currently not planned for support](goark/go-cvss#37 (comment)). ## What it brings With the current PR, I provide multiple direct improvements: - proper CVSS v2.0 scoring computation (only affect the environmental score computation, but has been an unresolved issue for months) - add support of CVSS v4.0 in the OSV schema - performance improvements according to [benchmarks](https://github.com/pandatix/go-cvss#comparison) Given ossf/osv-schema#166 the CVSS v4.0 key will most likely be `CVSS_V4` to align with the previous CVSS versions support. ## Is it breaking ? For the code, no, but for the Go version, yes 🎉
|
v4 has been published om the 1st of November, revision 1.1 of their document on 2023-11-09. https://www.first.org/cvss/v4-0/ So work could start on it. ;) |
Common Vulnerability Scoring System Version 4.0
The text was updated successfully, but these errors were encountered: