Issued: 11th October 2022
What’s changing and why?
NIST recently announced the retirement of CVSS v2. While existing CVSS v2 scores will remain in the National Vulnerability Database (NVD), no new CVEs will be assigned a CVSS v2 score. For further details, please see: Retirement of CVSS v2.
Contrast released support for CVSS 3.1 as an opt-in option in April 2022. With the full retirement of CVSS v2, all remaining Organizations will be automatically migrated to CVSS 3.1 scoring on October 25, 2022.
What does this mean to you?
For Contrast Organizations still using CVSS v2 scoring, newly published CVEs will not appear in the Contrast UI and no notifications will be sent if a newly published CVE is found. Migration to CVSS v3.1 scoring is required to rectify.
If you wish to migrate your Organization to CVSS v3.1 scoring immediately, please reach out to us at email@example.com. If we don’t hear from you, all remaining Organizations will be automatically migrated on October 25, 2022.
Once the migration has occurred:
- Library scores will be updated to use the CVSS v3.1 score as the Security penalty factor, as outlined here. This may mean a change in the grade assigned to the library and any Applications using the library.
- CVSS v3 introduces a new “Critical” severity for CVEs, where CVSS v2 only had High, Medium and Low. As such, any custom integrations using the Contrast API to extract library data may need to be updated. There are no changes to the structure of any API payloads or responses. Click here for more details on the updated NVD Vulnerability Severity Ratings.
If you have any additional questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us at firstname.lastname@example.org.