Skip to content

Update security-severity scores #6080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
calumgrant merged 1 commit into from
Jun 18, 2021
Merged

Update security-severity scores #6080

calumgrant merged 1 commit into from
Jun 18, 2021

Conversation

@calumgrant
Copy link
Contributor

@calumgrant calumgrant commented Jun 15, 2021

Run using latest changes to the CWE tooling (https://github.com/github/cwe-scores).

The change is that the score is based on the CVE "Base Score" instead of its "Impact score".

The result of this is that the scores map better to the UI concept of (Low/Medium/High/Critical).

@calumgrant
Copy link
Contributor Author

calumgrant commented Jun 15, 2021

The distribution of the scores are as follows:

Language Low Medium High Critical
All 9 144 332 138
C# 1 22 64 24
C++ 2 13 83 33
Golang 0 13 22 10
Java 0 60 95 46
JavaScript 6 37 56 26
Python 0 12 34 9

(Golang is in a separate repo and is not included in this PR).

@calumgrant calumgrant marked this pull request as ready for review June 15, 2021 14:14
@calumgrant calumgrant requested review from a team as code owners June 15, 2021 14:14
@calumgrant calumgrant mentioned this pull request Jun 15, 2021
Merged
@calumgrant calumgrant added the no-change-note-required This PR does not need a change note label Jun 15, 2021
aschackmull
aschackmull approved these changes Jun 16, 2021
View reviewed changes
Copy link
Contributor

@aschackmull aschackmull left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From a quick look through, this looks like an improvement.

MathiasVP
MathiasVP approved these changes Jun 16, 2021
View reviewed changes
Copy link
Contributor

@MathiasVP MathiasVP left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These scores reflect my expectations much better 👍! Like @rdmarsh2, I'm curious about why some of the scores are slightly lowered by this change, though.
(It's not a big deal since none of the drops cause a query to change to a lower category.)

RasmusWL
RasmusWL approved these changes Jun 16, 2021
View reviewed changes
Copy link
Member

@RasmusWL RasmusWL left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 For python

@sj
Copy link
Collaborator

sj commented Jun 16, 2021

Thanks @calumgrant! Is it possible to easily generate an overview like this for us to do an extra sanity check:

security-severity \ severity recommendation warning error
low 1 2 3
medium 4 5 6
high 7 8 9
critical 10 11 12

This will allow us to check how many things that we previously gave a high severity (i.e., error) actually end up having a low security-severity.

(cc @AlonaHlobina)

@calumgrant calumgrant merged commit 32f6a46 into main Jun 18, 2021
@calumgrant calumgrant deleted the calumgrant/security-severities branch June 18, 2021 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RasmusWL RasmusWL RasmusWL approved these changes

@esbena esbena esbena approved these changes

@MathiasVP MathiasVP MathiasVP approved these changes

@aschackmull aschackmull aschackmull approved these changes

+1 more reviewer

@rdmarsh2 rdmarsh2 rdmarsh2 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

C# C++ Java JS no-change-note-required This PR does not need a change note Python

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@calumgrant @sj @RasmusWL @rdmarsh2 @esbena @MathiasVP @aschackmull