Hi, Thank you for the feedback. The following justifications, derived from official CVSS guidance and NVD standards, clarify why selecting the maximum score is the appropriate approach.
The National Vulnerability Database (NVD) often provides multiple scores for a single CVE. These are categorized as "Primary" (NVD’s own analysis) and "Secondary" (provided by vendors or other organizations). Because different sources may interpret the vulnerability’s impact differently based on product-specific contexts or information availability, these scores frequently diverge. According to official documentation from FIRST (Forum of Incident Response and Security Teams), the governing body for CVSS, the "reasonable worst-case" assessment is the standard when multiple valid scores exist: 1. CVSS v4.0 User Guide: The guidance explicitly states: "In situations where multiple CVSS-B scores are applicable but only one is provided, the highest CVSS-B score must be utilized." 1. CVSS SIG (Special Interest Group): Historical guidance from the CVSS SIG recommends generating a score for each potential exploitation path and "assigning the vulnerability the highest of these scores." 1. Risk Assessment Principle: While CVSS v3.1 and v4.0 emphasize that the Base Score represents intrinsic characteristics, the standard practice for automated scanners and reporting tools is to report the highest severity to ensure that users are alerted to the maximum potential risk before they apply their own environmental or temporal filters. By iterating through all sources and selecting the maximum score, we ensure that the cve-check system does not inadvertently report a lower score that might mask the actual severity of the vulnerability. References: [1] https://www.first.org/cvss/v4.0/user-guide [2] https://www.first.org/cvss/v2/minutes/cvss-meeting-minutes-06202006.pdf [3] https://www.first.org/cvss/v3.1/user-guide Regards. ________________________________ From: [email protected] <[email protected]> on behalf of Paul Barker <[email protected]> Sent: Wednesday, January 21, 2026 8:16 PM To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <[email protected]>; [email protected] <[email protected]> Cc: xe-linux-external(mailer list) <[email protected]> Subject: Re: [OE-core] [PATCH v2] cve-update-nvd2-native: Use maximum CVSS score from all sources On Wed, 2026-01-21 at 02:08 -0800, Het Patel via lists.openembedded.org wrote: > From: Het Patel <[email protected]> > > The CVE check system was incorrectly reporting lower CVSS scores when > multiple scoring sources were available in the NVD database. This > occurred because the code only extracted the first element from the > CVSSv2, CVSSv3, and CVSSv4 metrics arrays, which could be a Secondary > source with a lower score instead of the Primary source with the > actual severity score. > > This fix iterates through all available sources and takes the maximum > CVSS score to ensure the highest severity is reported. > > Fixes [YOCTO #15931] > > Signed-off-by: Het Patel <[email protected]> Het, Thanks for the patch! Why is the highest CVSS score the correct one to take? I think the commit message needs updating to answer this or point us to a relevant reference. Best regards, -- Paul Barker
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#229833): https://lists.openembedded.org/g/openembedded-core/message/229833 Mute This Topic: https://lists.openembedded.org/mt/117379016/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
