Compute severity from CVSS score
The rustsec
crate exposes CVSS metrics. We could map this onto the GitLab vulnerability severity enum (Info
, Unknown
, Low
, Medium
, High
, or Critical
).
One limitation is that most advisories do not currently specify a CVSS score, which means the vast majority of vulnerabilities will still be reported as unknown severity.
Open questions:
- Should
Info
be reserved only forrustsec
warnings, as described in #1. - Should we evenly distribute the CVSS range over low/medium/high/critical, or use a different scheme to assign severity.