Skip to content

Add all CVSS scores and sources from NVD#4729

Open
conorfitch wants to merge 2 commits into
google:masterfrom
conorfitch:master
Open

Add all CVSS scores and sources from NVD#4729
conorfitch wants to merge 2 commits into
google:masterfrom
conorfitch:master

Conversation

@conorfitch

@conorfitch conorfitch commented Feb 3, 2026

Copy link
Copy Markdown

Hello - just opening this as a suggestion as something I would find highly useful! Am very interested in discussing anything further.

  • Note: This PR is dependent on the following change to the OSV schema (addition of a severity[].source field): Add a severity source field ossf/osv-schema#510

  • Certain data sources, such as NVD and the CVE Program, provide multiple CVSS scores in their records that come from different providers or are different CVSS versions.

  • This PR adds all of the available CVSS scores from the NVD record, into the severity object, rather than just a single CVSS score. The sources of the CVSS scores are also added into the OSV record, taken from the Source field that is provided in the NVD record.

  • Including all the available CVSS scores in the OSV record, along with their source, allows consumers of the data to know who issued the score (e.g. NVD or the CNA), as well as being able to choose between them. For example, a consumer may have a preference for scores issued by NVD or the CNA, or they may wish to use a specific CVSS version for better comparability with other vulnerabilities.

  • One CVSS score continues to be selected for the Debian and Alpine records.

  • In the NVD and CVE5 combining process, the severities are taken from the NVD record (if it has at least 1 severity). Perhaps instead the severities and their sources should be taken from CVE5, and then add any NVD-issued severity on top of that?

@google-cla

google-cla Bot commented Feb 3, 2026

Copy link
Copy Markdown

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

Signed-off-by: Conor Fitch <173908980+conorfitch@users.noreply.github.com>
Signed-off-by: Conor Fitch <173908980+conorfitch@users.noreply.github.com>
@jess-lowe

Copy link
Copy Markdown
Contributor

Hey, thanks for the contribution! Looks great, we're just waiting on discussion time to actually bring up adding the field.

This may also be out of date because of all my recent NVD refactors (sorry!) but I'll ping when it's a good time to rebase the changes.

@github-actions

github-actions Bot commented May 4, 2026

Copy link
Copy Markdown

This pull request has not had any activity for 60 days and will be automatically closed in two weeks

@github-actions github-actions Bot added the stale The issue or PR is stale and pending automated closure label May 4, 2026
@github-actions

Copy link
Copy Markdown

Automatically closing stale pull request

@github-actions github-actions Bot added the autoclosed Closed by automation label May 18, 2026
@github-actions github-actions Bot closed this May 18, 2026
another-rex pushed a commit to ossf/osv-schema that referenced this pull request Jul 9, 2026
Hello! Please also see this related PR for osv.dev:
google/osv.dev#4729

* This PR adds an optional `severity[].source` field, previously
discussed in this issue: #248

* There are several data sources in OSV.dev that aggregate severities
from other providers, such as NVD or Ubuntu. This can lead to cases
where the same severity is duplicated across aliased or upstream
records, because the severity came from the same source. It can also
result in cases where multiple severities are provided in a single
record, but is unclear what the difference between them is.

* The addition of this field should help these issues to be solved, by
allowing the source of a severity to be specified. For example, it can
be ascertained through the field that one severity was issued by NVD,
while the other was issued by the CNA.

---------

Signed-off-by: Conor Fitch <173908980+conorfitch@users.noreply.github.com>
Signed-off-by: Conor Fitch <cfitch@cloudsmith.io>
@jess-lowe jess-lowe removed stale The issue or PR is stale and pending automated closure autoclosed Closed by automation labels Jul 16, 2026
@jess-lowe jess-lowe reopened this Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants