Set one value (either cvss_v3 or cvss_v4 value) based on GHSA data

[jasnow]

March 6, 2026 Expectation Regarding cvss (v2, v3, v4) fields

This issue will deal with Choice B below.

Choices

1. Accept having only 1 automatic CVSS value from GHSA.
   A. AS-IS: Accept the current algorithm.
   B. Fix it: Set one value (either cvss_v3 or cvss_v4 value) based on GHSA data.
   • More details in comments below.
2. Add one or more cvss values from non-GHSA source.
   A. Choices:
   • Create separate tool to cvss values. Run after github_advisory_sync.rb.
   • Add external call for data inside github_advisory_sync.rb script.

[jasnow]

Check json. See only 1 GHSA CVSS value: Example:

    "severity": "MODERATE",
    "cvss": {
      "score": 6.1,
      "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
    },

The default cvss variable appears to be "cvss_v3" and the GHSA cvss value is used as "cvss_v3".

[jasnow]

History of issue

• (2023) Added cvss_v4 field #654 (Added cvss_v4 field [to template])
• (2023) [Pre537] Add cvss values back in as needed using external data in github_advisory_sync.rb #651 (Add cvss values back in as needed using external data in github_advisory_sync.rb)
• (2019) [GHSA sync] Pull CVSS score from NVD #399 (Pull CVSS score from NVD)

[jasnow]

Here is a recent advisory: GHSA-mpwp-4h2m-765c

  "severity": [
    {
      "type": "CVSS_V4",
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"
    }
  ],

[jasnow]

Appears we (I) need to change our (my) exception:

Also note above that the schema is different for some cases.

PSEUDOCODE

if we have a cve value in GHSA advisory
  if      GHSA type is "CVSS_V3", put GHSA cvss in cvss_v3
  else if GHSA type is "CVSS_V4", put GHSA cvss in cvss_v4
else 
  put GHSA cvss value into cvss_3
fi

[jasnow]

March 1, 2026 Expectation:

Add cvss_v4 value to github_advisory_sync.rb script.

1. Expect [cvss_v2, cvss_v3, cvss_4] to be included (field and value) if available. Remove empty cvss fields.
2. Also remove "' lines associated with these fields.

[jasnow]

FYI: See "CVSS3.1" and "null" as vaues for "vectorString" with a sample of yml file.
Will continue to monitor when I get a cvss_v2 and cvss_v4 values.