Do not set attack_complexity and user_interaction from cvss 4 data (#202

) * Do not set attack_complexity and user_interaction from cvss 4 data Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com> --------- Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
AppThreat · Dec 19, 2024 · 147392b · 147392b
1 parent 35f9e88
commit 147392b
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "6.2.2"
+version = "6.2.3"
 description = "AppThreat's vulnerability database and package search library with a built-in sqlite based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},

diff --git a/vdb/lib/osv.py b/vdb/lib/osv.py
@@ -208,7 +208,8 @@ def to_vuln(cve_data):
                 severity = cvss4_obj.get("baseSeverity")
                 exploitability_score = score
                 attack_complexity = cvss4_obj.get("attackComplexity")
-                user_interaction = cvss4_obj.get("userInteraction")
+                # CVSS 3.1 only supports NONE or REQUIRED for userInteraction
+                user_interaction = "REQUIRED" if cvss4_obj.get("userInteraction", "") != "NONE" else "NONE"
             if vector_string:
                 cvss3_obj = get_cvss3_from_vector(vector_string)
                 # Fallback to CVSS 3.1 only if CVSS 4 is absent