This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

A new Flexera Community experience is coming on November 25th. Click here for more information.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

cvss2 and cvss3 score are both non-blank

hamish
By
Level 4

I'm pulling advisories via the APi for a near real-time feed of information. And had implemented the decision between cvss2 and cvss3 scores as documented in the API docs. i.e. If cvss2 is blank, use cvss3.

 

However it would appear that there are multiple records in the feed where both the cvss2 and cvss3 scores are NOT blank. 

 

hamish_0-1583484786543.png

 

 

Case in point.  SA76954 with a cvss3 score of 0 and a cvss2 score of 7.6, then we have some the other way around. cvss2 scores of 0 and cvss3 scores 

 

I'm really hoping that despite the documented behaviour saying otherwise, the API doesn't equate a blank with a numerical 0, because that appears to equate to a rejection.. Is there a more reliable way? e.g. empty cvss_vector?

‎Mar 06, 2020 02:57 AM

0 Kudos
(2) Replies

bkelly
By
Flexera Alumni

Upon closer inspection, we will update the documentation. It should read, "If CVSS3 is blank or zero, use CVSS2.”

For Rejection Notices CVSS won’t get actively analyzed / assigned. But there might be occurrences where the CVSS represents some value due to back end quirks I won't bore you with. However, when dealing with Rejection Notices the Secunia Research CVSS should be completely ignored regardless of what it might have for a value. 

‎Mar 11, 2020 09:07 AM

0 Kudos

bkelly
By
Flexera Alumni

Also, if you are really just interested in the CVSS score, you can look to the value in the API data returned named cvss_score_ui instead 

‎Mar 12, 2020 09:12 AM

0 Kudos
Top Kudoed Authors
View all