cve-update-nvd2-native: fix cvssV3 metrics
After upgrade to soon-to-be-released kirkstone 4.0.11 CVE annotations got broken. Anything which has only cvssV3 does not resolve properly. Fix the API fields used to extract it. i0.0 score is now at level of NVD DB 1.1. All CVEs with UNKNOWN vector are not present in NVD DB 1.1. NVD API 1.1: sqlite> select vector, count(vector) from nvd group by vector; ADJACENT_NETWORK|4776 LOCAL|32146 NETWORK|167746 PHYSICAL|185 sqlite> select scorev3, count(scorev3) from nvd group by scorev3; 0.0|73331 1.8|7 1.9|3 ... NVD API 2.0 (broken): sqlite> select vector, count(vector) from nvd group by vector; ADJACENT_NETWORK|4587 LOCAL|26273 NETWORK|150421 UNKNOWN|24644 sqlite> select scorev3, count(scorev3) from nvd group by scorev3; 0.0|205925 NVD API 2.0 (fixed): sqlite> select vector, count(vector) from nvd group by vector; ADJACENT_NETWORK|5090 LOCAL|32322 NETWORK|168004 PHYSICAL|213 UNKNOWN|511 sqlite> select scorev3, count(scorev3) from nvd group by scorev3; 0.0|73841 1.8|7 1.9|3 ... Signed-off-by:Peter Marko <peter.marko@siemens.com> Signed-off-by:
Loading