CVSS score incorrect
fkamming opened this issue ยท 2 comments
The HTML report uses metadata.exploitability value as CVSS score. While I can't find any documentation on the exact meaning of this value, I don't think it is supposed to reflect a CVSS score.
For example npm mongodb vulnerability has a metadata.exploitability value of 3. While the actual CVSS score is 7.5. Our npm audit html report shows several other examples where the CVSS score in the report is completely different from the actual CVSS score.
I propose to label it 'Exploitability:' instead of 'CVSS' in the npm audit html report. Or otherwise completely remove it.
@fkamming Interesting, you are right. metadata.exploitability doesn't seem to actually be the CVSS score like I thought. Which makes me curious as to what it represents. I will relabel it to "Exploitability" for now.
๐ This issue has been resolved in version 1.4.0 ๐
The release is available on:
Your semantic-release bot ๐ฆ๐