Comments (7)
I would really avoid to mix vFeed data with the rest. The vFeed license is not very clear and I would like to avoid to have any dependencies on vFeed. Especially based on my past experience with the osvdb license...
The best would be to update db_mgmt.py as the parsing for the cvss:base_metrics is already parsed but not inserted in MongoDB. We would need to update the cves collection to add an array cvss_base_metrics where we add all the values.
<cvss:base_metrics>
<cvss:score>7.2</cvss:score>
<cvss:access-vector>LOCAL</cvss:access-vector>
<cvss:access-complexity>LOW</cvss:access-complexity>
<cvss:authentication>NONE</cvss:authentication>
<cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact>
<cvss:integrity-impact>COMPLETE</cvss:integrity-impact>
<cvss:availability-impact>COMPLETE</cvss:availability-impact>
<cvss:source>http://nvd.nist.gov</cvss:source>
<cvss:generated-on-datetime>2015-01-14T16:18:19.130-05:00</cvss:generated-on-datetime>
</cvss:base_metrics>
Let me know what you think, I could add it soon.
from cve-search.
That information is already available in the database, I added that a few weeks ago. I'm talking about the score. For example, CVE-2011-1180 has a CVSS Base score of 7.5, CVSS Impact score of 6.4 and CVSS Exploit code of 10.0. This info, you can't find (or there is no such info in the 2015 xml) in that xml. But you can find it in the vFeed sqlite database
I do agree though, that mixing the sources should be avoided. Perhaps add it to vFeed data then?
from cve-search.
Sorry I was talking about how to get the base metric value... So we would need to build the CVSS base score calculator at the import? or we could do the calculation in the library when getting the CVE?
from cve-search.
We could calculate it dynamically as well, if I find the formulla. Then the question would be, do we save it in the database at import, or do we calculate it at display time?
from cve-search.
The formula is in the CVSS guide: http://www.first.org/cvss/cvss-guide.html
At the Import, it would be nice as the values seem fixed.
----------------------------------------------------
BASE METRIC EVALUATION SCORE
----------------------------------------------------
Access Vector [Local] (0.395)
Access Complexity [High] (0.35)
Authentication [None] (0.704)
Confidentiality Impact [Complete] (0.66)
Integrity Impact [Complete] (0.66)
Availability Impact [Complete] (0.66)
----------------------------------------------------
FORMULA BASE SCORE
----------------------------------------------------
Impact = 10.41*(1-(0.34*0.34*0.34)) == 10.0
Exploitability = 20*0.35*0.704*0.395 == 1.9
f(Impact) = 1.176
BaseScore =((0.6*10)+(0.4*1.9)1.5)*1.176
== (6.2)
----------------------------------------------------
from cve-search.
Very well, I'll take a look at this. I don't seem to have the ability to add labels or assignees, but I'll put it on my to-do list
from cve-search.
Calculated dynamically, in case Impact or Exploitability get updated
from cve-search.
Related Issues (20)
- Possible issue retrieving new CVE's HOT 3
- CPEData Cannot push into the db HOT 1
- Retrieve information for multiple CVEIDs in one API request HOT 2
- Add Exploit Prediction Scoring System (EPSS) data HOT 2
- Question: What is via4 HOT 3
- CVE-2022-29361 not found even after update the database HOT 4
- Plan of shift to NVD API HOT 37
- CVE collection populated partially HOT 8
- Update DB hourly HOT 2
- Missing CVEs HOT 3
- 执行报错 HOT 1
- Lazy load CVE's HOT 1
- search_cpe-py tool shows no results HOT 1
- TLS certificate expired HOT 2
- ModuleNotFoundError: No module named 'requirements' HOT 3
- Not Showing Proper Results HOT 3
- Improve MongoDB create/insert HOT 1
- No have CVE-2023-37582 data HOT 2
- CAPEC Content-Type has changed HOT 3
- Unhandled Content-Type :text/xml from url HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cve-search.