Currently the Debian OVAL lack (critical) information from the files,
specifically the severity setting of the patch.
I wanted to ask if it would be possible for the XML files that the script
you run will include the <severity> rating of the DSA advisory?
The DSA advisory itself doesn't include the severity but the CVE do, so
scraping the information from the NIST site would allow you to know what is
the severity ( by taking each CVE's CVSSv3 score and seeing which number is
If you agree to this, and need help getting this to work, I can lend a hand
- I can provide code on how to "harvest" the NVD NIST site for the
information, or take the information from NDV NIST's XML files (which they
PGP Key ID: 2D24B275B1EB4475 (Exp 2018-03)