From eec0a2b090af05bc2e9d7d067b1ded924db7072b Mon Sep 17 00:00:00 2001
From: Prabhu Subramanian <prabhu@appthreat.com>
Date: Sun, 10 Nov 2024 23:05:54 +0000
Subject: [PATCH] Workaround npm bug with inconsistent severity and score

Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
---
 vdb/lib/npm.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/vdb/lib/npm.py b/vdb/lib/npm.py
index 3290b82..5d9a362 100644
--- a/vdb/lib/npm.py
+++ b/vdb/lib/npm.py
@@ -211,6 +211,10 @@ def to_vuln(self, v, ret_data):
                     if vector_string:
                         cvss3_obj = get_cvss3_from_vector(vector_string)
                         if cvss3_obj:
+                            # For some CVEs such as CVE-2024-47875, severity and score are not aligned
+                            # By utilising the vector string, we make them consistent
+                            score = cvss3_obj.get("baseScore")
+                            severity = cvss3_obj.get("baseSeverity")
                             exploitability_score = cvss3_obj.get("temporalScore")
                             attack_complexity = cvss3_obj.get("attackComplexity")
                             user_interaction = cvss3_obj.get("userInteraction")