As of February 23, 2016 the Sonatype Data Research group is now providing Common Vulnerability Scoring (CVSS) for security issues that have reserved CVEs .
After requesting a CVE ID from Mitre, some projects or researchers do not go back and fill in the details resulting in an incomplete CVE. These CVE numbers are then referenced by the project and other sites in their commits, bug tracking, and advisories. Previously, the reserved CVE CVSS scores were set to zero leading to them being detected by the Sonatype Security-Unscored reference policy.
There are currently 23 reserved CVEs that will now have CVSS values. This will affect thousands of components. Because of this, and depending on how your policies are defined, you will see issues moving from the Security-Unscored policy to the appropriate Security-* policy after the next evaluation.
Below are the reserved CVE’s that now have a CVSS score. We used the CVSS 3.0 calculator to determine the CVSS score based on our research of the vulnerability.
|# of Artifacts||CVE|