Skip to content

fix: don't fail deserializing the document if CVSS can't be parsed#1

Open
dejanb wants to merge 1 commit intoscm-rs:mainfrom
dejanb:cvss-parsing-1
Open

fix: don't fail deserializing the document if CVSS can't be parsed#1
dejanb wants to merge 1 commit intoscm-rs:mainfrom
dejanb:cvss-parsing-1

Conversation

@dejanb
Copy link

@dejanb dejanb commented Jul 25, 2025

Currently the deserialization of the document fails if CVSS v3 can't be parsed. This can happen if the CVSS vector string is malformed or parsing library can't properly handle the value (like temporal scores for CVSS v3).
Instead of failing, we should store the original vector string and the score, so that the user can get the original values and handle them as needed. This will also allow us to to have the original CVSS vector strings in the output for versions currently not supported by the CVSS library and enable future support for CVSS v4 in CSAF more easily.

@dejanb
fix: don't fail deserializing the document if CVSS can't be parsed
c16a88e 
Currently the deserialization of the document fails if CVSS v3 can't be parsed. This can
happen if the CVSS vector string is malformed or parsing library can't properly handle the value
(like temporal scores for CVSS v3).
Instead of failing, we should store the original vector string and the score, so that the user can
get the original values and handle them as needed. This will also allow us to to have the
original CVSS vector strings in the output for versions currently not supported by the CVSS library
and enable future support for CVSS v4 in CSAF more easily.
@dejanb dejanb requested a review from ctron July 25, 2025 15:35
@ctron
Copy link

ctron commented Jul 28, 2025

I somehow doubt that a change like that would ever go into upstream. Which means that having that patch and using that logic, we'd forever need to maintain our own fork. I don't think that's wise.

Instead of taking a shortcut like this, we should go and actually implement what is missing.

@dejanb
Copy link
Author

dejanb commented Jul 28, 2025

I don't think it's a shortcut, the v2 is already returning just a raw value and all other libraries we are using (cve and osv) let the score handling to the client as well. For example, for our use case, I would like to have original vector string from the document, which would currently be impossible without deserialize/serialize everything (which would not guarantee that we would get the original value for all use cases).

The uplstream of this library seems to be abandoned project, so the maintenance is on us . Should we move this scm-rs. I suppose the goal would be to use (https://github.com/csaf-rs/csaf/) when it gets ready.

I was thinking to go back to cvss_v2 and cvss_v3 fields instead of the vector, as that is more natural and change the API less.

If a change like this is too much, I would see to at least make the client library can recover from this error gracefully and get the original score(s) in the error that it can handle on its own. It will take a bit more time for the cvss library to be able to support all versions properly, so this issue will come up regularly.

@ctron
Copy link

ctron commented Jul 28, 2025

I agree that we should take ownership (or fork) that library. And I think it's ok to just define this as a String. And let some other part deal with this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ctron ctron Awaiting requested review from ctron

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dejanb @ctron