On Aug/09, Moritz Muehlenhoff wrote:
> > I wanted to ask if it would be possible for the XML files that the
> > script you run will include the <severity> rating of the DSA
> > advisory?
> DSA advisories intentionally don't have a severity rating and we're
> not planning to add one (since the severity depends strongly on local
> I don't feel comfortable pulling in external CVSS classifications that
> we don't have any control over.
I've quickly looked into this, and it turns out RedHat does include a
severity in their OVAL definitions, but SuSE does not.
I agree that severity is most often highly depending on local context,
and is therefore a metric that's difficult to come up with in the
general sense. However, our OVAL definitions are basically per-CVE
entries, we could potentially tie the NVD NIST severity to each one.
I'm more worried about the implementation, though: as we don't store
this information ourselves anywhere, it would force us to scrape the NVD
NIST website for *all* CVEs affecting Debian, several times a day, which
hardly seems like a good idea.