Aliases for Internal Vulnerabilities and Custom CVSS

[stenocereus]

One feature that is highly interesting in Dependency-Track is the possibility to create Internal Vulnerabilities.

Some of these internally reported vulnerabilities may end up as a CVE after being publicly disclosed, and this is where I would suggest have Dependency-Track allow us to add aliases to the internal vulnerability. It would help us in handling two scenarios:

1. Allowing us to add aliases to the Internal Vulnerability to connect them to the public CVE when available

   • The frontend includes the Aliases field when editing an Internal Vulnerability, but it opens the CWE list, reported here: Aliases of internal vulnerabilities can be edited from the UI but the wrong list is presented frontend#458

2. Enable us to make our own CVSS rating for public vulnerabilities. For example, if NVD scores a CVE at 7.5, but we consider it to be at 5.5 we could make an Internal Vulnerability with CVSS 5.5 and use the CVE alias to connect them

   • This could potentially be better suited as part of the audit process in an additional field where we could add the custom CVSS, but that might be another discussion

[grimsell]

The ability to set your own custom CVSS would be highly appreciated. Or even an own custom risk score? Are there any plan for this?