Support Bulletin: Library Scoring Migration to CVSS 3.1

  • Updated

Issued: 11th October  2022

What’s changing and why? 

NIST recently announced the retirement of CVSS v2. While existing CVSS v2 scores will remain in the National Vulnerability Database (NVD), no new CVEs will be assigned a CVSS v2 score. For further details, please see: Retirement of CVSS v2.

Contrast released support for CVSS 3.1 as an opt-in option in April 2022. With the full retirement of CVSS v2, all remaining Organizations will be automatically migrated to CVSS 3.1 scoring on October 25, 2022.

What does this mean to you?

For Contrast Organizations still using CVSS v2 scoring, newly published CVEs will not appear in the Contrast UI and no notifications will be sent if a newly published CVE is found. Migration to CVSS v3.1 scoring is required to rectify.

If you wish to migrate your Organization to CVSS v3.1 scoring immediately, please reach out to us at If we don’t hear from you, all remaining Organizations will be automatically migrated on October 25, 2022.

Once the migration has occurred:

  • Library scores will be updated to use the CVSS v3.1 score as the Security penalty factor, as outlined here. This may mean a change in the grade assigned to the library and any Applications using the library.
  • CVSS v3 introduces a new “Critical” severity for CVEs, where CVSS v2 only had High, Medium and Low. As such, any custom integrations using the Contrast API to extract library data may need to be updated. There are no changes to the structure of any API payloads or responses. Click here for more details on the updated NVD Vulnerability Severity Ratings.

Addendum: 7th March 2023
Please be aware, the original note above is incorrect. With the introduction of CVSS3, any CVE data retrieved from the API now has separate fields for the CVSS3 data. As such, any custom integrations using the Contrast API to extract library data will need to be updated.

If has_cvss3_score is true in the response, then the CVSS data is returned in

  • cvss_3_severity_code
  • cvss_3_severity_value
  • cvss_3_vector

Otherwise the integration should fall back to the CVSS2 data which is contained in:

  • severity_code
  • severity_value
  • access_vector

If you have any additional questions, concerns, or would like to discuss this issue further, please don’t hesitate to reach out to us at

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request