Get partial CVSS score in the database as well about cve-search HOT 7 CLOSED

I would really avoid to mix vFeed data with the rest. The vFeed license is not very clear and I would like to avoid to have any dependencies on vFeed. Especially based on my past experience with the osvdb license...

The best would be to update db_mgmt.py as the parsing for the cvss:base_metrics is already parsed but not inserted in MongoDB. We would need to update the cves collection to add an array cvss_base_metrics where we add all the values.

 <cvss:base_metrics>
        <cvss:score>7.2</cvss:score>
        <cvss:access-vector>LOCAL</cvss:access-vector>
        <cvss:access-complexity>LOW</cvss:access-complexity>
        <cvss:authentication>NONE</cvss:authentication>
        <cvss:confidentiality-impact>COMPLETE</cvss:confidentiality-impact>
        <cvss:integrity-impact>COMPLETE</cvss:integrity-impact>
        <cvss:availability-impact>COMPLETE</cvss:availability-impact>
        <cvss:source>http://nvd.nist.gov</cvss:source>
        <cvss:generated-on-datetime>2015-01-14T16:18:19.130-05:00</cvss:generated-on-datetime>
      </cvss:base_metrics>

Let me know what you think, I could add it soon.

from cve-search.

That information is already available in the database, I added that a few weeks ago. I'm talking about the score. For example, CVE-2011-1180 has a CVSS Base score of 7.5, CVSS Impact score of 6.4 and CVSS Exploit code of 10.0. This info, you can't find (or there is no such info in the 2015 xml) in that xml. But you can find it in the vFeed sqlite database

I do agree though, that mixing the sources should be avoided. Perhaps add it to vFeed data then?

from cve-search.

Sorry I was talking about how to get the base metric value... So we would need to build the CVSS base score calculator at the import? or we could do the calculation in the library when getting the CVE?

from cve-search.

We could calculate it dynamically as well, if I find the formulla. Then the question would be, do we save it in the database at import, or do we calculate it at display time?

from cve-search.

The formula is in the CVSS guide: http://www.first.org/cvss/cvss-guide.html

At the Import, it would be nice as the values seem fixed.

     ----------------------------------------------------
        BASE METRIC                 EVALUATION         SCORE
        ----------------------------------------------------
        Access Vector               [Local]           (0.395)
        Access Complexity           [High]            (0.35)
        Authentication              [None]            (0.704)
        Confidentiality Impact      [Complete]        (0.66)
        Integrity Impact            [Complete]        (0.66)
        Availability Impact         [Complete]        (0.66)
        ----------------------------------------------------
        FORMULA                                   BASE SCORE
        ----------------------------------------------------
        Impact = 10.41*(1-(0.34*0.34*0.34)) == 10.0
        Exploitability = 20*0.35*0.704*0.395 == 1.9
        f(Impact) = 1.176
        BaseScore =((0.6*10)+(0.4*1.9)1.5)*1.176
                                                  ==   (6.2)
        ----------------------------------------------------

from cve-search.

Very well, I'll take a look at this. I don't seem to have the ability to add labels or assignees, but I'll put it on my to-do list

from cve-search.

Calculated dynamically, in case Impact or Exploitability get updated

from cve-search.