I'm pulling advisories via the APi for a near real-time feed of information. And had implemented the decision between cvss2 and cvss3 scores as documented in the API docs. i.e. If cvss2 is blank, use cvss3.
However it would appear that there are multiple records in the feed where both the cvss2 and cvss3 scores are NOT blank.
Case in point. SA76954 with a cvss3 score of 0 and a cvss2 score of 7.6, then we have some the other way around. cvss2 scores of 0 and cvss3 scores
I'm really hoping that despite the documented behaviour saying otherwise, the API doesn't equate a blank with a numerical 0, because that appears to equate to a rejection.. Is there a more reliable way? e.g. empty cvss_vector?
Mar 06, 2020 02:57 AM
Upon closer inspection, we will update the documentation. It should read, "If CVSS3 is blank or zero, use CVSS2.”
For Rejection Notices CVSS won’t get actively analyzed / assigned. But there might be occurrences where the CVSS represents some value due to back end quirks I won't bore you with. However, when dealing with Rejection Notices the Secunia Research CVSS should be completely ignored regardless of what it might have for a value.
Mar 11, 2020 09:07 AM