On Aug/09, Moritz Muehlenhoff wrote: > > I wanted to ask if it would be possible for the XML files that the > > script you run will include the <severity> rating of the DSA > > advisory? > > DSA advisories intentionally don't have a severity rating and we're > not planning to add one (since the severity depends strongly on local > factors). > > I don't feel comfortable pulling in external CVSS classifications that > we don't have any control over.
I've quickly looked into this, and it turns out RedHat does include a severity in their OVAL definitions, but SuSE does not. I agree that severity is most often highly depending on local context, and is therefore a metric that's difficult to come up with in the general sense. However, our OVAL definitions are basically per-CVE entries, we could potentially tie the NVD NIST severity to each one. I'm more worried about the implementation, though: as we don't store this information ourselves anywhere, it would force us to scrape the NVD NIST website for *all* CVEs affecting Debian, several times a day, which hardly seems like a good idea. Cheers, --Seb
