On Wed, Aug 09, 2017 at 02:16:54PM +0300, Noam Rathaus wrote:
> Package: security.debian.org
>
> Currently the Debian OVAL lack (critical) information from the files,
> specifically the severity setting of the patch.
>
> I wanted to ask if it would be possible for the XML files that the script
> you run will include the <severity> rating of the DSA advisory?
DSA advisories intentionally don't have a severity rating and we're not
planning to add one (since the severity depends strongly on local factors).
I don't feel comfortable pulling in external CVSS classifications that we
don't have any control over.
Cheers,
Moritz
