Switch to CVSS scoring

+1

v4 is the current version - so e.g. https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator

I had a look at scoring a Drupal SA recently and it seems we'll have to get used to some new concepts if we're going to use v4 such as "Vulnerable System Impact" vs "Subsequent System Impact".

There are comprehensive docs:

https://www.first.org/cvss/user-guide#Assessment-Guide

I think perhaps we should aim to start doing a CVSS (v4) score in parallel to the existing system for a while, with the aim of switching over as soon as practical.

An overlap seems fine, but I'd also be fine if we just did as a "big bang migration" it if that helps get it done faster.

+1 on switching as well.

This would also help the CVE process as it is preferred CVE’s be scored with CVSS (although they can be scored with a priority metric it is just not preferred).

As well as documentation there is also an entry level training course https://learn.first.org/catalog/info/id:126,cms_featured_course:1

I was intending to circle back after the last contrib SA I worked on and post an example score:

SA-CONTRIB-2024-043: TFA: Session Fixation:

Under Drupal’s scoring system this scored Critical 15 ∕ 25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All

Cross scoring to CVSS:4.0 the score would be closer to Low: 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:D/RE:L/U:Clear

This is an extream example, and I’ve seen some SA’s become higher under the CVSS, however in all cases CVSS told a more complete story.

Partly a note-to-self: the current risk calc system lives in the drupalorg project e.g.

https://git.drupalcode.org/project/drupalorg/-/blob/ab295c10770375254eef...

There would likely need to be changes in other places if we were to switch to a new system.

The CVSS 4.0 questions are extremely vague and confusing, it would be helpful to document each of the questions and provide recommendations on how to fill it in for common scenarios.

One nice thing about broader standards is there's plenty of docs we don't have to write, e.g. https://www.first.org/cvss/v4-0/user-guide

The security team has discussed a plan that for a few weeks we publish a CVSSv4 score alongside the usual risk score in all SAs.

We can label this as experimental, and perhaps link back to this issue.

The idea of doing this for a relatively short period is to minimise the extra work of doing two risk scores in parallel, but give everyone a chance to try using CVSSv4 before we actually switch over.

Anecdotally, a lot of organisations are still using CVSSv3.1 because 4 introduces some good additional features but along with that comes increased complexity.

https://www.first.org/cvss/calculator/4-0

I'd suggest that we only complete the first section of the v4 calculator initially. That should give us a score that looks like:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

CVSS v4.0 Score: 7.1 / High

We could also provide a link to the calculator with the values pre-filled e.g.

https://www.first.org/cvss/calculator/4-0#CVSS:4.0/AV:N/AC:L/AT:N/PR:L/U...

Once we've done a couple of these in SAs we can put a template here for the markup.

Drumm pointed out it would be nice to only have one kind of data in the field.

Can we automatically migrate old Drupal scores to CVSS in some way? Anyone interested in this feature could work on that and it would be very helpful.

I'd suggest that we only complete the first section of the v4 calculator initially.

You may want to consider the “Provider Urgency” value from the supplemental metrics as it can be used by projects to signify “how much do we think you really need to worry about this”. An extra signifier for “yes this is technically a vulnerability, the odds of it causing you a problem are almost nil however we have to disclose it” (clear) vs “This is the new drupelgeddon, patch now” (red).