Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Ignoring Results Without CVSS Scores and Configurable CVSS Threshold in config.toml #1400

Closed
dpanic opened this issue Nov 16, 2024 · 5 comments
Closed

Support Ignoring Results Without CVSS Scores and Configurable CVSS Threshold in config.toml #1400

dpanic opened this issue Nov 16, 2024 · 5 comments
Labels
autoclosed Closed by automation enhancement New feature or request stale The issue or PR is stale and pending automated closure

Comments

@dpanic
Copy link

dpanic commented Nov 16, 2024

Description:

Currently, OSV-Scanner does not provide an option to filter vulnerabilities by their CVSS score directly in the configuration file (config.toml). This feature would greatly enhance usability by allowing users to focus on critical vulnerabilities and ignore those without CVSS scores or below a specified threshold.

Proposed Feature:

Add support in the osv-scanner.toml configuration file to:

  1. Ignore vulnerabilities without a CVSS score:

    • Allow a boolean flag (e.g., ignoreNoCVSS = true) to exclude results where no CVSS score is provided.

  2. Set a minimum CVSS score threshold:

    • Add an option like minCVSS = X.X to only display vulnerabilities with a CVSS score equal to or above the defined threshold.

Example Configuration:

# Ignore vulnerabilities without a CVSS score
ignoreNoCVSS = true

# Set minimum CVSS score threshold
minCVSS = 5.0

Expected Behavior:

  • When ignoreNoCVSS = true, all vulnerabilities without a CVSS score are excluded from the scan results.
  • When minCVSS is set, only vulnerabilities with a CVSS score >= the specified threshold are included in the output.

Benefits:

  • Reduces noise in scan results, enabling teams to focus on critical vulnerabilities.
  • Streamlines vulnerability management workflows by providing better customization options.

Let me know if you’d like further details or examples to assist in implementation. Thank you!
@cuixq cuixq added the enhancement New feature or request label Nov 18, 2024
@cuixq
Copy link
Contributor

cuixq commented Nov 19, 2024

@G-Rath is this something that you can take a look?

@G-Rath
Copy link
Collaborator

G-Rath commented Nov 19, 2024

@cuixq tbh I wondered if this was something we wanted to support at all, given the known issues with the scoring system, but I guess it's probably useful so long as frameworks like SOC and ISO continue to use the scoring system as a factor in setting reaction times and whatnot 🤔

@cuixq
Copy link
Contributor

cuixq commented Nov 20, 2024

@G-Rath Thanks for you insights! Sounds like this is not a thing we are going to work on soon.

@github-actions GitHub Actions
Copy link

This issue has not had any activity for 60 days and will be automatically closed in two weeks

See https://github.com/google/osv-scanner/blob/main/CONTRIBUTING.md for how to contribute a PR if you're interested in helping out.

@github-actions github-actions bot added the stale The issue or PR is stale and pending automated closure label Jan 19, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Feb 2, 2025

Automatically closing stale issue

@github-actions github-actions bot added the autoclosed Closed by automation label Feb 2, 2025
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Feb 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
autoclosed Closed by automation enhancement New feature or request stale The issue or PR is stale and pending automated closure
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dpanic @G-Rath @cuixq