Suse scores importer should support version 4

[nnobelis]

Given a sample Suse score https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml:

CVE-2024-35255:
  cvss:
    - version: 3.1
      score: 5.5
      vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
    - version: 4
      score: 6.8
      vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

The version 4 cvss is not imported because the importer does not support version 4:

vulnerablecode/vulnerabilities/importers/suse_scores.py

Lines 34 to 38 in ed17dbd

	systems_by_version = {
	"2.0": severity_systems.CVSSV2,
	"3": severity_systems.CVSSV3,
	"3.1": severity_systems.CVSSV31,
	}

Additional questions:

Our VulnerableCode instance contains some weird values for this source:

1. Can the cvssv2 and cvssv3 be old values from previous imports ?
2. Why the cvsv3.1 has a score of 0 ?
3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ?
   https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255

[keshav-space]

The version 4 cvss is not imported because the importer does not support version 4:

@ziadhany has recently added support for CVSSv4 #1473, and we need to make sure we collect them in each importers.

1. Can the cvssv2 and cvssv3 be old values from previous imports ?

Suse doesn't have CVSSv2 and CVSSv3 scores for CVE-2024-35255. This could be coming from other importer(s). Can you confirm this in the History tab in your local VCIO instance?

2. Why the cvsv3.1 has a score of 0 ?

This looks like a bug, either in the data or in the importer itself. We would need the history to confirm it.

3. We noticed the public instance does not list suse.com as a source. Should we disable this importer ?
https://public.vulnerablecode.io/vulnerabilities/VCID-p3vk-v2au-aaaa?search=CVE-2024-35255

We do run the suse_scores importer in our public.vulnerablecode.io instance, but we haven't run our importers in the last few weeks since we were fixing some data quality bugs. That's why we don't see the Suse scores for CVE-2024-35255 which is fairly recent (we're running the importers now, so we should get the Suse scores in the coming days).

[nnobelis]

Suse doesn't have CVSSv2 and CVSSv3 scores for CVE-2024-35255. This could be coming from other importer(s). Can you confirm this in the History tab in your local VCIO instance?

This looks like a bug, either in the data or in the importer itself. We would need the history to confirm it.

Unfortunately, the history tab of the CVE-2024-35255 is empty in our VulnerableCode instance 😞

[keshav-space]

Unfortunately, the history tab of the CVE-2024-35255 is empty in our VulnerableCode instance 😞

This doesn't feel right. Can you share which version/commit of VulnerableCode you're running locally?

[nnobelis]

Hmm I checked again today and the "0" is gone, but the cvssv2 and cvssv3 scores are still here.

We are using version v34.0.0rc4.

[keshav-space]

We started our importers yesterday, and today we do have a suse score for CVE-2024-35255 in our public VCIO instance. The CVSSv3.1 corresponds to what is provided in https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml.

[nnobelis]

You get the entries for cvssv2 and cvssv3 too ! Any idea why ?

[keshav-space]

You get the entries for cvsv2 and vcsv3 too ! Any idea why ?

@nnobelis Thanks for reporting this. It took some time to reproduce the issue, and after much digging it turns out this is a bug.

The bug is in how we handle the VulnerabilityReference. Each VulnerabilityReference has a URL that is set to be unique. The hierarchical relationship is Vulnerability → VulnerabilityReference → VulnerabilitySeverity. To store a severity for vulnerability, we create a VulnerabilityReference (using the source URL of score) and then create a VulnerabilitySeverity (with severity details and ForeignKey relationship to VulnerabilityReference created earlier). Since the URL field is set to unique, things get complicated in the case of SUSE as all the scores come from the same URL i.e. "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml." This results in a single SUSE VulnerabilityReference linked to all vulnerabilities, which leads to a same set SUSE severity score for all vulnerabilities.

See the SUSE scores CVE-2023-33204 and CVE-2024-35255 they are identical.

[nnobelis]

Great find, thanks for looking into this !