CVSS-Tampering: GitHub creates incorrect CVSS v4 scores

[AB-xdev]

IDs

Probably most recent CVEs in GitHub advisories database

Description

The problem

GitHub (Advisories) seems to create CVSS v4 scores for some advisories as I found out in github/advisory-database#5032 / github/advisory-database#5058.

There are some problem with that, here is a quick recap:

• This is only done for certain CVEs, not all
• The process how these CVSS v4 values are created is not transparent
  • There is no (public) documentation that this is done, how this is done and why it is done
  • Likely no communication with CVE creators / CVSSv4 values do not match CVE descriptions (usually only contains CVSS v3 score explanation)
• Created CVSS v4 are not marked as "computed from CVSSv3 by GitHub" or something similar anywhere
• Original CVSS score is not used for computing the severity

This process seems to result in incorrect scores (some values do not match at all) and incorrect severity values, thus resulting in False Postives and Negatives.

Spontaneously found examples:

CVE	CVSS v3 (original)	CVSS v4 created by GitHub (used in severity)	Note
CVE-2024-47535	5.5 moderate	7.0 High	Incorrect metrics: SC, SI
CVE-2024-53848	7.1 High	6.1 Moderate	Vulnerable System Impact Metrics seem to be missing
CVE-2024-52806	8.3 High	6.9 Medium	Vulnerable System Impact Metrics seem to be missing

Further asked questions by me have been evaded/dismissed so far.

The persons responsible for creating CVSS v4 scores also seem to have some trouble in doing so as their proposed values have been incorrect now for 2 times despite having clear points on what specific metrics are wrong.

Recommended actions

GitHub Advisories seems to see 0 problems with this behavior as can be seen in the comments, so I don't expect them changing their opinion any time soon without further external aspects.

I would therefore propose that you exclude the GitHub's advisory database for now or ignore CVSSv4 and severity and only use trustworthy alternatives like e.g. GitLab's database instead.

Scanner

Vulnerability

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[knqyf263]

I read through github/advisory-database#5032, and your comments make sense to me. However, other advisories also sometimes score unreasonable values. I think we have to discuss with the issuer for each advisory, although it's not ideal. GitHub might change their mind if many users complain about it.

Since removing the GHSA would have a major impact, it might be a good idea to provide an option to select the severity source, like --severity-src gitlab and allow each user to choose.

[AB-xdev]

Since removing the GHSA would have a major impact, it might be a good idea to provide an option to select the severity source, like --severity-src gitlab and allow each user to choose.

Very good idea +1