Showing results for 
Show  only  | Search instead for 
Did you mean: 

cvss2 and cvss3 score are both non-blank

I'm pulling advisories via the APi for a near real-time feed of information. And had implemented the decision between cvss2 and cvss3 scores as documented in the API docs. i.e. If cvss2 is blank, use cvss3.


However it would appear that there are multiple records in the feed where both the cvss2 and cvss3 scores are NOT blank. 





Case in point.  SA76954 with a cvss3 score of 0 and a cvss2 score of 7.6, then we have some the other way around. cvss2 scores of 0 and cvss3 scores 


I'm really hoping that despite the documented behaviour saying otherwise, the API doesn't equate a blank with a numerical 0, because that appears to equate to a rejection.. Is there a more reliable way? e.g. empty cvss_vector?

(2) Replies
Flexera Alumni

Upon closer inspection, we will update the documentation. It should read, "If CVSS3 is blank or zero, use CVSS2.”

For Rejection Notices CVSS won’t get actively analyzed / assigned. But there might be occurrences where the CVSS represents some value due to back end quirks I won't bore you with. However, when dealing with Rejection Notices the Secunia Research CVSS should be completely ignored regardless of what it might have for a value. 

Flexera Alumni

Also, if you are really just interested in the CVSS score, you can look to the value in the API data returned named cvss_score_ui instead