Skip to content

Add all CVSS scores and sources from NVD#4729

Closed
conorfitch wants to merge 2 commits into
google:masterfrom
conorfitch:master
Closed

Add all CVSS scores and sources from NVD#4729
conorfitch wants to merge 2 commits into
google:masterfrom
conorfitch:master

Conversation

@conorfitch
Copy link
Copy Markdown

@conorfitch conorfitch commented Feb 3, 2026
edited
Loading

Hello - just opening this as a suggestion as something I would find highly useful! Am very interested in discussing anything further.

  • Note: This PR is dependent on the following change to the OSV schema (addition of a severity[].source field): Add a severity source field ossf/osv-schema#510

  • Certain data sources, such as NVD and the CVE Program, provide multiple CVSS scores in their records that come from different providers or are different CVSS versions.

  • This PR adds all of the available CVSS scores from the NVD record, into the severity object, rather than just a single CVSS score. The sources of the CVSS scores are also added into the OSV record, taken from the Source field that is provided in the NVD record.

  • Including all the available CVSS scores in the OSV record, along with their source, allows consumers of the data to know who issued the score (e.g. NVD or the CNA), as well as being able to choose between them. For example, a consumer may have a preference for scores issued by NVD or the CNA, or they may wish to use a specific CVSS version for better comparability with other vulnerabilities.

  • One CVSS score continues to be selected for the Debian and Alpine records.

  • In the NVD and CVE5 combining process, the severities are taken from the NVD record (if it has at least 1 severity). Perhaps instead the severities and their sources should be taken from CVE5, and then add any NVD-issued severity on top of that?

@google-cla
Copy link
Copy Markdown

google-cla Bot commented Feb 3, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@conorfitch conorfitch mentioned this pull request Feb 3, 2026
Open
@conorfitch
add all cvss scores and sources for nvd
023f13c 
Signed-off-by: Conor Fitch <173908980+conorfitch@users.noreply.github.com>
@conorfitch
add tests for new cvss scores
bcc1f48 
Signed-off-by: Conor Fitch <173908980+conorfitch@users.noreply.github.com>
@jess-lowe
Copy link
Copy Markdown
Contributor

jess-lowe commented Mar 5, 2026

Hey, thanks for the contribution! Looks great, we're just waiting on discussion time to actually bring up adding the field.

This may also be out of date because of all my recent NVD refactors (sorry!) but I'll ping when it's a good time to rebase the changes.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

This pull request has not had any activity for 60 days and will be automatically closed in two weeks

@github-actions github-actions Bot added the stale The issue or PR is stale and pending automated closure label May 4, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

Automatically closing stale pull request

@github-actions github-actions Bot added the autoclosed Closed by automation label May 18, 2026
@github-actions github-actions Bot closed this May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

autoclosed Closed by automation stale The issue or PR is stale and pending automated closure

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@conorfitch @jess-lowe