Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Ignoring Results Without CVSS Scores and Configurable CVSS Threshold in config.toml #1400

Open
dpanic opened this issue Nov 16, 2024 · 3 comments
Labels
enhancement New feature or request

Comments

@dpanic
Copy link

dpanic commented Nov 16, 2024

Description:

Currently, OSV-Scanner does not provide an option to filter vulnerabilities by their CVSS score directly in the configuration file (config.toml). This feature would greatly enhance usability by allowing users to focus on critical vulnerabilities and ignore those without CVSS scores or below a specified threshold.


Proposed Feature:

Add support in the osv-scanner.toml configuration file to:

  1. Ignore vulnerabilities without a CVSS score:

    • Allow a boolean flag (e.g., ignoreNoCVSS = true) to exclude results where no CVSS score is provided.
  2. Set a minimum CVSS score threshold:

    • Add an option like minCVSS = X.X to only display vulnerabilities with a CVSS score equal to or above the defined threshold.

Example Configuration:

# Ignore vulnerabilities without a CVSS score
ignoreNoCVSS = true

# Set minimum CVSS score threshold
minCVSS = 5.0

Expected Behavior:

  • When ignoreNoCVSS = true, all vulnerabilities without a CVSS score are excluded from the scan results.
  • When minCVSS is set, only vulnerabilities with a CVSS score >= the specified threshold are included in the output.

Benefits:

  • Reduces noise in scan results, enabling teams to focus on critical vulnerabilities.
  • Streamlines vulnerability management workflows by providing better customization options.

Let me know if you’d like further details or examples to assist in implementation. Thank you!

@cuixq cuixq added the enhancement New feature or request label Nov 18, 2024
@cuixq
Copy link
Contributor

cuixq commented Nov 19, 2024

@G-Rath is this something that you can take a look?

@G-Rath
Copy link
Collaborator

G-Rath commented Nov 19, 2024

@cuixq tbh I wondered if this was something we wanted to support at all, given the known issues with the scoring system, but I guess it's probably useful so long as frameworks like SOC and ISO continue to use the scoring system as a factor in setting reaction times and whatnot 🤔

@cuixq
Copy link
Contributor

cuixq commented Nov 20, 2024

@G-Rath Thanks for you insights! Sounds like this is not a thing we are going to work on soon.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants