Grype not consistently using CVSSv3 score to determine severity
Why are we doing this work
GitLab relies on individual scanners to report an accurate severity level. The severity level should be determined by the CVSS score.
Currently, the Grype scanner is reporting some severity levels that correspond to the CVSSv2 score rather than the CVSSv3 score. Ideally, all vulnerability severities will correspond to the underlying CVSSv3 score for consistency. We need to determine whether this error is occurring in GitLab code or whether we need to open a bug in the upstream Grype project.
Relevant links
Non-functional requirements
-
Documentation: -
Feature flag: -
Performance: -
Testing:
Implementation plan
-
backend update lib/gitlab.grype.tplto calculate severity based onVulnerability.VulnerabilityMetadata.Cvss[]value (find in the collectionCvsswith version >= 3.0, take value ofMetrics.BaseScore, and based on that value calculate severity, according to https://www.first.org/cvss/v3.0/specification-document#Qualitative-Severity-Rating-Scale):
| Rating | CVSS Score |
|---|---|
| None | 0.0 |
| Low | 0.1 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 8.9 |
| Critical | 9.0 - 10.0 |
Edited by Alan (Maciej) Paruszewski