Discrepancies between metrics from different sources #1163
Description
During implementation of #1086 the question rose whether we want to check (as an information test only) discrepancies between severity ratings from different sources.
For example, a CSAF document could exist with:
"metrics": [
{
"content": {
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
},
"products": [
"CSAFPID-9080700"
],
"source": "https://vendor-a.example/.well-known/csaf/clear/2024/vendor-a-2024-0001.json"
},
{
"content": {
"qualitative_severity_rating": "none"
},
"products": [
"CSAFPID-9080700"
],
"source": "https://vendor-b.example/.well-known/csaf/clear/2024/vendor-b-2024-0001.json"
}
]
especially if CSAFPID-9080700 is an upstream product.
Another example:
"metrics": [
{
"content": {
"cvss_v4": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"baseScore": 10,
"baseSeverity": "CRITICAL"
}
},
"products": [
"CSAFPID-9080700"
],
"source": "https://a-researcher-for.example"
},
{
"content": {
"cvss_v4": {
"version": "4.0",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:N/SA:N",
"baseScore": 4.9,
"baseSeverity": "MEDIUM"
}
},
"products": [
"CSAFPID-9080700"
],
"source": "https://the-vendor-for.example"
}
]
Should we inform the user / consumer about that? It might uncover a mistake or show a different understanding of the vulnerability...