Workaround npm bug with inconsistent severity and score

Signed-off-by: Prabhu Subramanian <[email protected]>
AppThreat · Nov 10, 2024 · eec0a2b · eec0a2b
1 parent 357d762
commit eec0a2b
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/vdb/lib/npm.py b/vdb/lib/npm.py
@@ -211,6 +211,10 @@ def to_vuln(self, v, ret_data):
                     if vector_string:
                         cvss3_obj = get_cvss3_from_vector(vector_string)
                         if cvss3_obj:
+                            # For some CVEs such as CVE-2024-47875, severity and score are not aligned
+                            # By utilising the vector string, we make them consistent
+                            score = cvss3_obj.get("baseScore")
+                            severity = cvss3_obj.get("baseSeverity")
                             exploitability_score = cvss3_obj.get("temporalScore")
                             attack_complexity = cvss3_obj.get("attackComplexity")
                             user_interaction = cvss3_obj.get("userInteraction")