CVSS score incorrect #32

fkamming · 2019-11-04T12:04:51Z

The HTML report uses metadata.exploitability value as CVSS score. While I can't find any documentation on the exact meaning of this value, I don't think it is supposed to reflect a CVSS score.

For example npm mongodb vulnerability has a metadata.exploitability value of 3. While the actual CVSS score is 7.5. Our npm audit html report shows several other examples where the CVSS score in the report is completely different from the actual CVSS score.

I propose to label it 'Exploitability:' instead of 'CVSS' in the npm audit html report. Or otherwise completely remove it.

nprail · 2019-11-04T18:18:19Z

@fkamming Interesting, you are right. metadata.exploitability doesn't seem to actually be the CVSS score like I thought. Which makes me curious as to what it represents. I will relabel it to "Exploitability" for now.

nprail · 2019-11-10T20:00:26Z

🎉 This issue has been resolved in version 1.4.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

nprail self-assigned this Nov 4, 2019

nprail added the bug Something isn't working label Nov 4, 2019

nikhilgeo mentioned this issue Nov 8, 2019

Report summary, hide/unhide, rename CVSS #33

Closed

nprail closed this as completed in 2ccb296 Nov 10, 2019

nprail added the released label Nov 10, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVSS score incorrect #32

CVSS score incorrect #32

fkamming commented Nov 4, 2019

nprail commented Nov 4, 2019

nprail commented Nov 10, 2019

CVSS score incorrect #32

CVSS score incorrect #32

Comments

fkamming commented Nov 4, 2019

nprail commented Nov 4, 2019

nprail commented Nov 10, 2019