Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Missmatch between JSON file and OSV GHSA html page #3004

Open
ItayHacmon opened this issue Dec 22, 2024 · 1 comment
Open

Missmatch between JSON file and OSV GHSA html page #3004

ItayHacmon opened this issue Dec 22, 2024 · 1 comment

Comments

@ItayHacmon
Copy link

Describe the bug

There are many CVEs Severity missmatch between OSV JSON doc and OSV GHSA html page.

for example
CVE-2019-12243

JSON -
https://api.osv.dev/v1/vulns/GHSA-6g5f-f5pm-mjrg
"severity":"HIGH"
"cvss":9.3

OSV -
https://osv.dev/vulnerability/GHSA-6g5f-f5pm-mjrg
"severity":"Critical"
"cvss":9.3

Github -
GHSA-6g5f-f5pm-mjrg
"severity":"High"
"cvss":8.9

  • The severity within the OSV html page is Critical while the JSON displays HIGH.
  • Both origin is OSV.
  • There are 112 more examples.

Please advice.

To Reproduce
Steps to reproduce the behaviour:

  1. Go to GHSA-6g5f-f5pm-mjrg JSON
  2. Scroll down to "database_specific" and fetch severity (HIGH)
  3. Go to https://osv.dev/vulnerability/GHSA-6g5f-f5pm-mjrg
  4. Notice the severity has a different value (Critical)

Expected behaviour
Both severity will be same level

Screenshots

List of all GO CVEs that having the same issue:
['CVE-2024-23448', 'CVE-2024-8676', 'CVE-2024-22393', 'CVE-2024-22278', 'CVE-2024-22032', 'CVE-2024-8572', 'CVE-2019-12243', 'CVE-2020-2023', 'CVE-2020-5415', 'CVE-2021-27358', 'CVE-2021-28484', 'CVE-2022-43760', 'CVE-2024-8986', 'CVE-2022-45157', 'CVE-2014-9357', 'CVE-2022-39201', 'CVE-2022-39306', 'CVE-2024-48057', 'CVE-2022-39307', 'GO-2024-3112', 'GO-2024-3059', 'GO-2022-0398', 'CVE-2022-35957', 'CVE-2022-3328', 'CVE-2024-7558', 'CVE-2024-47616', 'CVE-2024-47182', 'CVE-2024-47062', 'CVE-2024-47060', 'CVE-2024-46989', 'CVE-2024-45496', 'CVE-2024-45410', 'CVE-2024-45401', 'CVE-2023-34758', 'CVE-2024-45310', 'CVE-2024-45258', 'CVE-2024-45054', 'CVE-2024-45040', 'CVE-2024-43405', 'CVE-2024-42497', 'CVE-2024-42490', 'CVE-2024-42480', 'CVE-2017-18367', 'CVE-2024-41926', 'CVE-2024-41820', 'CVE-2024-41264', 'CVE-2024-41255', 'CVE-2024-41144', 'CVE-2024-41122', 'CVE-2022-46156', 'CVE-2024-40884', 'CVE-2024-39909', 'CVE-2024-39837', 'CVE-2024-39777', 'CVE-2022-31123', 'CVE-2022-31097', 'CVE-2024-39274', 'CVE-2024-38361', 'CVE-2024-38359', 'CVE-2024-8038', 'CVE-2023-46738', 'CVE-2023-46739', 'CVE-2023-46740', 'CVE-2024-36814', 'CVE-2024-36621', 'CVE-2024-36536', 'CVE-2024-36492', 'CVE-2022-29946', 'CVE-2023-32196', 'CVE-2024-52010', 'CVE-2023-30625', 'CVE-2023-30464', 'CVE-2024-7387', 'CVE-2019-19023', 'CVE-2024-33522', 'CVE-2024-32868', 'CVE-2024-9355', 'CVE-2024-31450', 'CVE-2024-3056', 'CVE-2024-29977', 'CVE-2024-29892', 'CVE-2024-29069', 'CVE-2024-9312', 'CVE-2024-27304', 'CVE-2024-6535', 'CVE-2024-6508', 'CVE-2022-26652', 'CVE-2021-21404', 'CVE-2021-21291', 'CVE-2024-8996', 'CVE-2024-8975', 'CVE-2024-5321', 'CVE-2020-12458', 'CVE-2020-12459', 'CVE-2020-13788', 'CVE-2020-14040', 'CVE-2021-42576', 'CVE-2023-28452', 'CVE-2020-8567', 'CVE-2020-7956', 'CVE-2024-10006', 'CVE-2023-37469', 'CVE-2024-10975', 'CVE-2024-1313', 'CVE-2024-1402', 'CVE-2024-1442', 'CVE-2024-1485', 'CVE-2024-24786', 'CVE-2024-1887', 'CVE-2024-8462', 'CVE-2024-24774', 'CVE-2024-2447', 'CVE-2024-23647']

@G-Rath
Copy link
Collaborator

G-Rath commented Dec 22, 2024

The database_specific property is an object that can have arbitrary fields, as it's for databases (in particular, those aggregating other databases) to put whatever extra info they like for whatever reason and use.

The fact that GitHub specifies a field named severity whose values look very similar to CVE severities is a "coincidence" - it's not there for all databases, and there's no guarantee about how it's qualified unlike the official severity field which is where osv.dev gets its "9.3 Critical" score from

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants