CVSS 4.0

[DanielRuf]

Tomorrow (1st of November) CVSS 4.0 will be published according to the details at https://www.first.org/cvss/v4-0/

What needs to be done to support this?

[StefanFl]

Hi @DanielRuf, thanks for making me aware of this. I will have a look into it soon. The mechanics that are relevant for SecObserve seem not to have changed (0-10 and mapping to severities). Will have to update some scanners and rename the cvss fields.

[DanielRuf]

That sounds good.

I'm not sure if renaming fields makes sense. Normally I'm accustomed to having two versions shown in the CVE databases (if provided).

I didn't check SecObserve in detail yet, so not sure if currently v2 and v3 CVSS scores are used and supported per entry or if it is just v3.

CVSS v4 will lead to different results because of the environmental factor.

It will probably take some time until the CVE databases, CNAs and tools add (additional) support for CVSS v4 and they will still use CVSS v2 and v3 as fields.

Is it encouraged by SecObserve to use the latest available "stable" CVSS version?

[StefanFl]

I will wait until one of the SCA scanners (Trivy, Grype, dependency-check) implements support for CVSS 4. Then we will see, how they put the information in their output and how to use it in SecObserve. Separate fields for v3 and v4 might be a good idea.