Skip to content

Introduce logic for cvss_v4 severity #400

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
onshi wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Introduce logic for cvss_v4 severity #400

onshi wants to merge 1 commit into from

Conversation

@onshi
Copy link

@onshi onshi commented Mar 19, 2025
edited
Loading

Hello Team,

I would like to introduce logic for properly rating severity for vulnerabilities which are estimated using only CVSS:4.0. This is a followup to rubysec/ruby-advisory-db#654

Currently vulnerabilities which are estimated using only CVSS:4.0 are using default fallback and are being marked as severity:unknown.

According to specification docs I think severity did not change between 3.0 and 4.0 standards

I did some refactoring based on code climate suggestions

Here is an example:

Using bundler-audit:0.9.2

Name: ruby-saml
Version: 1.17.0
CVE: CVE-2025-25293
GHSA: GHSA-92rq-c8cf-prrq
Criticality: Unknown
URL: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
Title: Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
Solution: update to '~> 1.12.4', '>= 1.18.0'

Using bundler-audit:0.10.0

Name: ruby-saml
Version: 1.17.0
CVE: CVE-2025-25293
GHSA: GHSA-92rq-c8cf-prrq
Criticality: High
URL: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-92rq-c8cf-prrq
Title: Ruby SAML allows remote Denial of Service (DoS) with compressed SAML responses
Solution: update to '~> 1.12.4', '>= 1.18.0'

Let me know if there is anything else I should adjust

@onshi onshi force-pushed the feature/cvss_v4_severity_logic branch 4 times, most recently from 2464e66 to c7b9d1a Compare March 19, 2025 14:43
@onshi onshi force-pushed the feature/cvss_v4_severity_logic branch from c7b9d1a to c9906be Compare December 1, 2025 01:56
@onshi
Copy link
Author

onshi commented Dec 1, 2025

Hello @postmodern, sorry for shameless ping. Can I get your opinion on this PR, is there anything missing here preventing it from being merged?

postmodern
postmodern requested changes Dec 3, 2025
View reviewed changes
lib/bundler/audit/version.rb Outdated
module Audit
# bundler-audit version
VERSION = '0.9.3'
VERSION = "0.10.0"
Copy link
Member

@postmodern postmodern Dec 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please don't bump the version in a PR. There's already a 0.10.0 branch that you could branch off of, or let me merge on your changes into the 0.10.0 branch.

Copy link
Author

@onshi onshi Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure! Sorry, I wasn't aware about this, if it's okay with you I would happily defer to you when chosing target merge branch

lib/bundler/audit/advisory.rb
#
def criticality
if cvss_v3
case cvss_v3
Copy link
Member

@postmodern postmodern Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we're using the same logic for calculating criticality for both cvss_v3 and cvss_v4, why not just combine the two?

if cvss_v4 || cvss_v3
  case cvss_v4 || cvss_v3
  when ...

Copy link
Author

@onshi onshi Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure, this makes perfect sense! Thank you, I pushed appropriate changes 🙇🏻

@onshi onshi force-pushed the feature/cvss_v4_severity_logic branch from c9906be to afe8f88 Compare December 4, 2025 17:51
@onshi onshi force-pushed the feature/cvss_v4_severity_logic branch from afe8f88 to b6a27ef Compare December 4, 2025 17:53
@onshi onshi requested a review from postmodern December 4, 2025 18:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern Awaiting requested review from postmodern

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@onshi @postmodern