From 3cc4fe19db199cc47f9f53f9127d41fb6e432390 Mon Sep 17 00:00:00 2001 From: Caro Galvin Date: Wed, 25 Sep 2024 09:44:58 -0400 Subject: [PATCH] Add docs for cvss 4.0 release (#52275) Co-authored-by: Felicity Chapman Co-authored-by: Anne-Marie <102995847+am-stead@users.noreply.github.com> Co-authored-by: Robert Thorpe II --- .../about-the-github-advisory-database.md | 4 +++- data/features/cvss-4.yml | 6 ++++++ 2 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 data/features/cvss-4.yml diff --git a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md index 2b396347f8..8951e0bfe4 100644 --- a/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md +++ b/content/code-security/security-advisories/working-with-global-security-advisories-from-the-github-advisory-database/about-the-github-advisory-database.md @@ -91,6 +91,8 @@ You can validate a GHSA ID using a regular expression. ### About CVSS levels +{% ifversion cvss-4 %} The {% data variables.product.prodname_advisory_database %} supports both CVSS version 3.1 and CVSS version 4.0.{% endif %} + Each security advisory contains information about the vulnerability or malware, which may include the description, severity, affected package, package ecosystem, affected versions and patched versions, impact, and optional information such as references, workarounds, and credits. In addition, advisories from the National Vulnerability Database list contain a link to the CVE record, where you can read more details about the vulnerability, its CVSS scores, and its qualitative severity level. For more information, see the "[National Vulnerability Database](https://nvd.nist.gov/)" from the National Institute of Standards and Technology. The severity level is one of four possible levels defined in the "[Common Vulnerability Scoring System (CVSS), Section 5](https://www.first.org/cvss/specification-document)." @@ -99,7 +101,7 @@ The severity level is one of four possible levels defined in the "[Common Vulner * High * Critical -The {% data variables.product.prodname_advisory_database %} uses the CVSS levels described above. If {% data variables.product.company_short %} obtains a CVE, the {% data variables.product.prodname_advisory_database %} uses CVSS version 3.1. If the CVE is imported, the {% data variables.product.prodname_advisory_database %} supports both CVSS versions 3.0 and 3.1. +The {% data variables.product.prodname_advisory_database %} uses the CVSS levels described above. If {% data variables.product.company_short %} obtains a CVE, the {% data variables.product.prodname_advisory_database %} uses the CVSS version assigned by the maintainer, which can be version 3.1{% ifversion cvss-4 %} or 4.0{% endif %}. If the CVE is imported, the {% data variables.product.prodname_advisory_database %} supports CVSS versions {% ifversion cvss-4 %}4.0, {% endif %}3.1 and 3.0. {% data reusables.repositories.github-security-lab %} diff --git a/data/features/cvss-4.yml b/data/features/cvss-4.yml new file mode 100644 index 0000000000..4ed881f4b5 --- /dev/null +++ b/data/features/cvss-4.yml @@ -0,0 +1,6 @@ +# Reference: #3949 + +versions: + fpt: '*' + ghec: '*' + ghes: '> 3.15'