Retire CVSS 2.0 & 3.0 in Schema 5.0.1

Question

Retire CVSS 2.0 & 3.0 in Schema 5.0.1

jgamblin opened this issue 8 months ago · comments

With the addition of CVSS 4.0 to the new schema, can the ability to submit new CVSS 2.0 and 3.0 scores to CVE records be removed?

They are archived on the first CVSS site, and the ability to score new CVEs with that scoring methodology likely leads to a poor user experience.

Martin Prpič · Answer 1 · Thu Oct 19 2023 03:09:51 GMT+0800 (China Standard Time)

Retiring these in the schema would mean scrubbing that data from all past records. I'm sure we don't want to do that, right? Also, CVSS 4.0 is not even GA yet and I'm guessing adopting 4.0 will take a couple years for all vendors.

Jerry Gamblin · Answer 2 · Thu Oct 19 2023 03:14:17 GMT+0800 (China Standard Time)

Why would removing the ability to submit new CVSS 2.0 scores mean that CVEs are already submitted need to be removed?

Martin Prpič · Answer 3 · Thu Oct 19 2023 04:04:03 GMT+0800 (China Standard Time)

If you submit an update for an older CVE but the schema doesn't allow for specifying a 2.0 score, it would essentially wipe out that information from that CVE, no?

Jerry Gamblin · Answer 4 · Thu Oct 19 2023 04:57:23 GMT+0800 (China Standard Time)

If you are updating an older CVE, wouldn't other changes have to be made to the CVE to make it compliant with the new schema?

Will there ever be a way to retire older data points from the schema?

As a point of morbid curiosity, I looked, and CVE-2023-0687 is the only CVE that has had a CVSS 2.0 score assigned in the last year.

Chandan · Answer 5 · Thu Oct 19 2023 08:40:55 GMT+0800 (China Standard Time)

I do not think it would be right to remove support for the older CVSS scores in the CVE record for reasons @mprpic mentioned.
As a best practice CNAs must be discouraged from using scoring systems considered obsolete.
It should not be a requirement to remove or upconvert pre-existing scores, or provide a newer one.

We will discuss this during a QWG call.

If you are updating an older CVE, wouldn't other changes have to be made to the CVE to make it compliant with the new schema?

Not for minor or micro version of schema updates. 99.2% of existing 5.0 records will validate the 5.1.0. The ones that don't have typos or extra data which wasn't meant to be there in the first place. As of last week: https://cveproject.github.io/quality-workgroup/report-5.1.0/

Martin Prpič · Answer 6 · Thu Oct 19 2023 21:02:31 GMT+0800 (China Standard Time)

If you are updating an older CVE, wouldn't other changes have to be made to the CVE to make it compliant with the new schema?

That's what the whole upconvert from 4.0 to 5.0 effort was about :-) Minor version schema changes shouldn't require any changes as Chandan noted.