You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, OSV-Scanner does not provide an option to filter vulnerabilities by their CVSS score directly in the configuration file (config.toml). This feature would greatly enhance usability by allowing users to focus on critical vulnerabilities and ignore those without CVSS scores or below a specified threshold.
Proposed Feature:
Add support in the osv-scanner.toml configuration file to:
Ignore vulnerabilities without a CVSS score:
Allow a boolean flag (e.g., ignoreNoCVSS = true) to exclude results where no CVSS score is provided.
Set a minimum CVSS score threshold:
Add an option like minCVSS = X.X to only display vulnerabilities with a CVSS score equal to or above the defined threshold.
Example Configuration:
# Ignore vulnerabilities without a CVSS scoreignoreNoCVSS = true# Set minimum CVSS score thresholdminCVSS = 5.0
Expected Behavior:
When ignoreNoCVSS = true, all vulnerabilities without a CVSS score are excluded from the scan results.
When minCVSS is set, only vulnerabilities with a CVSS score >= the specified threshold are included in the output.
Benefits:
Reduces noise in scan results, enabling teams to focus on critical vulnerabilities.
Streamlines vulnerability management workflows by providing better customization options.
Let me know if you’d like further details or examples to assist in implementation. Thank you!
The text was updated successfully, but these errors were encountered:
@cuixq tbh I wondered if this was something we wanted to support at all, given the known issues with the scoring system, but I guess it's probably useful so long as frameworks like SOC and ISO continue to use the scoring system as a factor in setting reaction times and whatnot 🤔
Description:
Currently, OSV-Scanner does not provide an option to filter vulnerabilities by their CVSS score directly in the configuration file (
config.toml
). This feature would greatly enhance usability by allowing users to focus on critical vulnerabilities and ignore those without CVSS scores or below a specified threshold.Proposed Feature:
Add support in the
osv-scanner.toml
configuration file to:Ignore vulnerabilities without a CVSS score:
ignoreNoCVSS = true
) to exclude results where no CVSS score is provided.Set a minimum CVSS score threshold:
minCVSS = X.X
to only display vulnerabilities with a CVSS score equal to or above the defined threshold.Example Configuration:
Expected Behavior:
ignoreNoCVSS = true
, all vulnerabilities without a CVSS score are excluded from the scan results.minCVSS
is set, only vulnerabilities with a CVSS score >= the specified threshold are included in the output.Benefits:
Let me know if you’d like further details or examples to assist in implementation. Thank you!
The text was updated successfully, but these errors were encountered: