Import CWE and CVSS info from GHA #80

elanzini · 2021-06-08T07:00:51Z

GitHub Advisory also provides CWE and CVSS information for some vulnerabilities.
It is unclear whether this information is also always found on NVD.
To make sure we capture every bit of information, we can add this to the importing in the GHParser.java class.

The updated query would be:

query {
  securityAdvisories(first: 100) {
    nodes {
      description
      identifiers {
        type
        value
      }
      severity
      references {
        url
      }
      cvss {
        score
        vectorString
      }
      cwes(first: 10) {
        nodes {
          cweId
        }
      }
      vulnerabilities(first: 10) {
        nodes {
          package {
            ecosystem
            name
          }
          vulnerableVersionRange
          firstPatchedVersion {
            identifier
          }
        }
      }
    }
    pageInfo {
      endCursor
      hasNextPage
    }
  }
}

Note: CVSS info is provided using version 3

The text was updated successfully, but these errors were encountered:

elanzini added enhancement New feature or request advisories All issues concerning new advisories labels Jun 8, 2021

elanzini self-assigned this Jun 8, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Import CWE and CVSS info from GHA #80

Import CWE and CVSS info from GHA #80

elanzini commented Jun 8, 2021

Import CWE and CVSS info from GHA #80

Import CWE and CVSS info from GHA #80

Comments

elanzini commented Jun 8, 2021