CVSS Information in CVE Descriptions

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

CVSS Information in CVE Descriptions

Waltermire, David A.
There has been a recent trend in adding CVSS scores and vectors to the CVE description. The following are some examples.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-2765
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8838

There are currently roughly 1293 entries in the NVD (https://nvd.nist.gov/vuln/search/results?form_type=Basic&results_type=overview&query=CVSS&queryType=phrase&search_type=all) that contain this information.

IMHO, this practice goes beyond what is intended to be included in a textual description and has started to appear in entries over the last year or so. The current guidance on descriptions is here: https://cve.mitre.org/about/faqs.html#cve_entry_descriptions_created.

Since this information can also appear in a dedicated field in CVE feeds, this seems to be duplicative in nature. This is not a widely used practice yet. Is this a practice that board wants to encourage/discourage?

Regards,
Dave

David Waltermire
Information Technology Laboratory | Computer Security Division
National Institute of Standards and Technology




Reply | Threaded
Open this post in threaded view
|

Re: CVSS Information in CVE Descriptions

Art Manion
On 5/16/18 1:18 PM, Art Manion wrote:

> On 2018-05-16 13:00, Waltermire, David A. (Fed) wrote:
>
>> Since this information can also appear in a dedicated field in CVE feeds, this seems to be duplicative in nature. This is not a widely used practice yet. Is this a practice that board wants to encourage/discourage?
>
> CVSS scores, or ideally, just the vectors, should go in the appropriate CVSS field in the CVE format, and not in the description.  I am in favor of discouraging the practice.
>
> I'd rather work towards:
>
> 1. A more comprehensive, standard set of fields for a vulnerability (or vulnerability report), such as the NIST VDO.
>
> 2. A standard CVE record that complies with #1 but that only requires the carefully selected minimum fields to achieve CVE mission:  Vulnerability identification.  Severity, priority, CVSS or otherwise, are not needed for this mission and are extraneous and distracting.
>
> CVSS as an optional field in a CVE record is fine, and users can currently grab that information from JSON files in git.  Maybe MITRE CVE or NVD would choose to expose CVSS and other optional data from CVE records.
>
> There is clearly a user need for #1, and people are happy enough to just treat a CVE record as a more comprehensive vulnerability record.
>
> I'm reasonably happy to work on #2 before #1 and back-fit #1 if that is more practical.
>
>
>   - Art
>