- Issue created by @cilefen
- π¬π§United Kingdom mcdruid π¬π§πͺπΊ
+1
v4 is the current version - so e.g. https://nvd.nist.gov/vuln-metrics/cvss/v4-calculator
I had a look at scoring a Drupal SA recently and it seems we'll have to get used to some new concepts if we're going to use v4 such as "Vulnerable System Impact" vs "Subsequent System Impact".
There are comprehensive docs:
https://www.first.org/cvss/user-guide#Assessment-Guide
I think perhaps we should aim to start doing a CVSS (v4) score in parallel to the existing system for a while, with the aim of switching over as soon as practical.
- πΊπΈUnited States greggles Denver, Colorado, USA
An overlap seems fine, but I'd also be fine if we just did as a "big bang migration" it if that helps get it done faster.
- πΊπΈUnited States cmlara
+1 on switching as well.
This would also help the CVE process as it is preferred CVEβs be scored with CVSS (although they can be scored with a priority metric it is just not preferred).
As well as documentation there is also an entry level training course https://learn.first.org/catalog/info/id:126,cms_featured_course:1
I was intending to circle back after the last contrib SA I worked on and post an example score:
SA-CONTRIB-2024-043: TFA: Session Fixation:
Under Drupalβs scoring system this scored Critical 15βββ25 AC:Complex/A:None/CI:Some/II:Some/E:Theoretical/TD:All
Cross scoring to CVSS:4.0 the score would be closer to Low: 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/AU:N/R:U/V:D/RE:L/U:Clear
This is an extream example, and Iβve seen some SAβs become higher under the CVSS, however in all cases CVSS told a more complete story.
- π¬π§United Kingdom mcdruid π¬π§πͺπΊ
Partly a note-to-self: the current risk calc system lives in the drupalorg project e.g.
https://git.drupalcode.org/project/drupalorg/-/blob/ab295c10770375254eef...
There would likely need to be changes in other places if we were to switch to a new system.