mirror of
https://github.com/fleetdm/fleet
synced 2026-05-14 12:38:41 +00:00
7a54a2de22
Fixes #28261. ~~Of note, this logic will prefer a non-primary CVSSv3.1 score over a primary CVSSv3.0 score if 3.1 doesn't have primary but 3.0 does. I haven't seen any evidence of this in our dataset (looked at 2024 output).~~ Updated with logic that will prefer a primary CVSSv3.0 score over a secondary CVSSv3.1 score for a given vulnerability. In the test dataset (2023 vuln snapshot, ~20k vulns) there were no cases where this situation presented itself, so output was identical to the prior implementation. Validated by comparing a vulns run from GitHub Actions to a local run with the new code, and confirmed that existing v3 scores weren't replaced when they already existed (just got adds of v2 when only v3 existed, and v2/v3 adds when no scoring existed). Confirmed that all three CVEs mentioned in #28261 show up in feed data. Added spot-checks for secondary CVSS scores to the feed validator tool. # Checklist for submitter If some of the following don't apply, delete the relevant line. <!-- Note that API documentation changes are now addressed by the product design team. --> - [x] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files) for more information. - [x] Input data is properly validated, `SELECT *` is avoided, SQL injection is prevented (using placeholders for values in statements) - [x] Manual QA for all new/changed functionality |
||
|---|---|---|
| .. | ||
| customcve | ||
| goval_dictionary | ||
| io | ||
| macoffice | ||
| msrc | ||
| nvd | ||
| oval | ||
| testdata | ||
| utils | ||