- Issue created by @cilefen
- ๐ฌ๐งUnited Kingdom mcdruid ๐ฌ๐ง๐ช๐บ
+1
v4 is the current version - so e.g. https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator
I had a look at scoring a Drupal SA recently and it seems we'll have to get used to some new concepts if we're going to use v4 such as "Vulnerable System Impact" vs "Subsequent System Impact".
There are comprehensive docs:
https://www.first.org/cvss/user-guide#Assessment-Guide
I think perhaps we should aim to start doing a CVSS (v4) score in parallel to the existing system for a while, with the aim of switching over as soon as practical.
- ๐บ๐ธUnited States greggles Denver, Colorado, USA
An overlap seems fine, but I'd also be fine if we just did as a "big bang migration" it if that helps get it done faster.
- ๐บ๐ธUnited States cmlara
+1 on switching as well.
This would also help the CVE process as it is preferred CVEโs be scored with CVSS (although they can be scored with a priority metric it is just not preferred).
As well as documentation there is also an entry level training course https://learn.first.org/catalog/info/id:126,cms_featured_course:1
I was intending to circle back after the last contrib SA I worked on and post an example score:
SA-CONTRIB-2024-043: TFA: Session Fixation:
Under Drupalโs scoring system this scored Critical 15โโโ25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Cross scoring to CVSS:4.0 the score would be closer to Low: 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:D/RE:L/U:Clear
This is an extream example, and Iโve seen some SAโs become higher under the CVSS, however in all cases CVSS told a more complete story.