[Proposal] Support CVSS scores
Problem to solve
Organizations with more mature security processes as well as many in highly regulated industries (e.g. finance, insurance, healthcare) require more than simple severity level to drive their vulnerability management process. While severity is one aspect, such organizations require a risk-based system of classification so they can most appropriately assess the potential negative impact to their business. While it is only a severity classification system, a first step in moving towards offering a risk-based triage and evaluation process will be a standard system for quantifying severity.
User experience goal
Users will see a new, standardized severity scoring system that underpins the current severity classification system (Critical, High, Medium, Low, Unknown). Visibility of severity score will be exposed in the UI portion of vulnerability management as well as via API. Users may also be able to see details of how how the severity score is calculated.
Proposal
We will add support for CVSS scores in our security report schema(s) and data model. This will allow including scoring information in scanner output reports as well as manually created vulnerabilities (via API or UI). The scoring can then be exposed to the user in relevant parts of the UI (as well as accessible via API).
When available, we will show the CVSS score:
- For findings in the MR security widget
- For findings on the pipeline security tab
- In the scanner-output JSON artifacts (and in the downloadable artifact on the pipeline security tab)
- On vulnerability details pages
- On the Vulnerability Report (possibly as a column and/or filter once Advanced filtering is available)
- All relevant GraphQL calls where vulnerability data is returned
Not all scanners will provide a CVSSv3 score so we will need to account for this behavior. Tentative proposal is to make the score a maximum (10) and provide a separate visual indication that this is assigned because the real score is unknown. This is in line with many competitive vulnerability management/assessment offerings.
Further details
When we add support for CVSS scores, we need to ensure that the vulnerabilityCreate
mutation is also updated. This will let customers using either the API directly or the manual creation form (once updated) to input CVSS scoring data consistent with our support in the security schemas.
Open Questions
-
What version(s) of CVSS do we support? -
Do we need to support more that the latest (3.1)? (3.0 was superseded by 3.1 in 2019) -
Is it feasible to also show the details of how the score was computed? -
As new versions are released, do we need to support upgrading old scores?
-
-
Which of our analyzers can output a CVSS score? -
SAST evaluation -
Secret Detection evaluation -
DAST evaluation -
Coverage Guided Fuzzing evaluation -
API Fuzzing evaluation -
Dependency Scanning evaluation -
Container Scanning evaluation
-
-
Should CVSS support be added to the security report base schema or implemented for each relevant scanner format?
Documentation
Availability & Testing
Links / references
This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.