Add comments about CVSS score to severity mapping

Co-authored-by: Mark Feldhousen <[email protected]>
cisagov · May 16, 2022 · ea1a9dc · ea1a9dc
1 parent 79d29f5
commit ea1a9dc
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 0 deletions.
diff --git a/cyhy/db/database.py b/cyhy/db/database.py
@@ -1583,6 +1583,19 @@ def get_indices(self):
     def save(self, *args, **kwargs):
         # Calculate severity from cvss on save
         # Source: https://nvd.nist.gov/vuln-metrics/cvss
+        #
+        # Notes:
+        # - The CVSS score to severity mapping is not continuous (e.g. a
+        #   score of 8.95 is undefined according to their table).  However,
+        #   the CVSS equation documentation
+        #   (https://www.first.org/cvss/specification-document#CVSS-v3-1-Equations)
+        #   specifies that all CVSS scores are rounded up to the nearest tenth
+        #   of a point, so our severity mapping below is valid.
+        # - CVSSv3 specifies that a score of 0.0 has a severity of "None", but
+        #   we have chosen to map 0.0 to severity 1 ("Low") because CyHy code
+        #   has historically assumed severities between 1 and 4 (inclusive).
+        #   Since we have not seen CVSSv3 scores lower than 3.1, this will
+        #   hopefully never be an issue.
         cvss = self["cvss_score"]
         if self["cvss_version"] == "2.0":
             if cvss == 10:

diff --git a/cyhy/db/ticket_manager.py b/cyhy/db/ticket_manager.py
@@ -125,6 +125,19 @@ def __generate_ticket_details(self, vuln, ticket, check_for_changes=True):
         if new_details["score_source"] != "nvd":
             cvss = new_details["cvss_base_score"]
             # Source: https://nvd.nist.gov/vuln-metrics/cvss
+            #
+            # Notes:
+            # - The CVSS score to severity mapping is not continuous (e.g. a
+            #   score of 8.95 is undefined according to their table).
+            #   However, the CVSS equation documentation
+            #   (https://www.first.org/cvss/specification-document#CVSS-v3-1-Equations)
+            #   specifies that all CVSS scores are rounded up to the nearest
+            #   tenth of a point, so our severity mapping below is valid.
+            # - CVSSv3 specifies that a score of 0.0 has a severity of "None",
+            #   but we have chosen to map 0.0 to severity 1 ("Low") because
+            #   CyHy code has historically assumed severities between 1 and 4
+            #   (inclusive).  Since we have not seen CVSSv3 scores lower than
+            #   3.1, this will hopefully never be an issue.
             if new_details["cvss_version"] == "2":
                 if cvss == 10:
                     new_details["severity"] = 4