Workaround npm bug with inconsistent severity and score

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
AppThreat · Nov 10, 2024 · b93b538 · b93b538
1 parent cfee766
commit b93b538
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "appthreat-vulnerability-db"
-version = "5.8.0"
+version = "5.8.1"
 description = "AppThreat's vulnerability database and package search library with a built-in file based storage. OSV, CVE, GitHub, npm are the primary sources of vulnerabilities."
 authors = [
     {name = "Team AppThreat", email = "cloud@appthreat.com"},

diff --git a/vdb/lib/npm.py b/vdb/lib/npm.py
@@ -24,6 +24,7 @@
     convert_md_references,
     convert_to_occurrence,
     fix_text,
+    get_cvss3_from_vector,
     get_default_cve_data,
     serialize_vuln_list,
 )
@@ -213,6 +214,11 @@ def to_vuln(self, v, ret_data):
                     score = cvss.get("score")
                 if cvss.get("vectorString"):
                     vectorString = cvss.get("vectorString")
+                    # For some CVEs such as CVE-2024-47875, severity and score are not aligned
+                    # By utilising the vector string, we make them consistent
+                    cvss3_obj = get_cvss3_from_vector(vectorString)
+                    score = cvss3_obj.get("baseScore")
+                    severity = cvss3_obj.get("baseSeverity")
             exploitabilityScore = score
             metadata = v.get("metadata", {})
             if isinstance(metadata, dict) and metadata.get("exploitability"):