Why some CVEs are displayed with the Severity:Unassigned while the souce (OSS Index) has one?

[andreeaButerchi]

Hello,

I've noticed that there are quite a few CVEs that are displayed (also returned by the API calls) with a Severity of Unassigned, while the indicated source (OSS Index) has a score & a severity:

https://ossindex.sonatype.org/vulnerability/CVE-2024-25638?component-type=maven&component-name=dnsjava%2Fdnsjava&utm_source=dependency-track&utm_medium=integration&utm_content=v4.11.5

What am I missing?

Thank you very much for your help!
Andreea

[andreeaButerchi]

This is causing a lot of issues...As our devs need to manually check the severity in order to make sure they comply with the company SLA :(

[nscuro]

ATM, DT's model works based on the idea of authoritative sources. For example, the NVD is the authoritative source for CVEs. OSS Index is allowed to create CVE records if they don't already exist, but if they do, it's not supposed to touch them (since changes made by it will ultimately be overwritten by the NVD mirroring again).

Also, OSS Index is an ad-hoc analyzer, which means that vulnerabilities can only be updated as long as components affected by them exist. Once no such component exists in the portfolio anymore, the vulnerability records would go stale.

What we could do as a stop-gap solution:

• If the CVE exists already, but it's severity is UNASSIGNED, update the severity.
• If the CVE exists already, and it's severity is not UNASSIGNED, don't overwrite the severity with UNASSIGNED

Bascially a temporary solution for the fact that the NVD is so behind with assigning CVSS scores and severities.

[andreeaButerchi]

Hello @nscuro !!

Thank you very much for your answer :)
When you say that "What we could do", you mean on ODT side, right? :)
We've tried to implement this on our side... relying on aliasis & by doing several calls to ODT API (vulnerabilities by source/ vulnerabilities for the project...)...but we end up with a quite complex level or code :(
You can find in this question what we're trying to do and the mess is causing :( : #4098

Thanks again & have a nice day!

[nscuro]

When you say that "What we could do", you mean on ODT side, right? :)

Yes. I'll try to have a look at this on the weekend.

You can find in this question what we're trying to do and the mess is causing :( : #4098

I'll check this, the endpoint should definitely not return all affected components since I agree that does not scale. Will check that too.