Stop creation of CVSS v4 by yourself

[AB-xdev]

You seem to to create CVSS v4 scores for some advisories as I found out in #5032.
I condensed the original discussion into this issue.

There are some problem with that, here is a quick recap:

• This is only done for certain CVEs, not all
• The process how these CVSS v4 values are created is not transparent
  • There is no (public) documentation that this is done, how this is done and why it is done
  • Likely no communication with CVE creators / CVSSv4 values do not match CVE descriptions (usually only contains CVSS v3 score explanation)
• Created CVSS v4 are not marked as "computed from CVSSv3 by GitHub" or something similar anywhere
• Original CVSS score is not used for computing the severity

Please have a look at the original discussion for more details.

Anyway this process seems to result in incorrect scores (some values do not match at all) and incorrect severity values, thus also resulting in False Postives and Negatives in downstream scanners that utilize the database with severity filters.

Spontaneously found examples:

CVE	CVSS v3 (original)	CVSS v4 created by GitHub (used in severity)	Note
CVE-2024-47535	5.5 moderate	7.0 High	See #5032
CVE-2024-53848	7.1 High	6.1 Moderate	Vulnerable System Impact Metrics seem to be missing
CVE-2024-52806	8.3 High	6.9 Medium	Vulnerable System Impact Metrics seem to be missing
CVE-2024-51132	9.8 Critical	8.8 High	Subsequent System Impact Metrics seem to be missing
CVE-2024-43499	7.5 High	0.0 Low	CVSSv3 is not present in database but was declared in CVE? Not sure what's going on here...

The overall current situation erodes (my) trust in this - security critical - system as distinguishing between correct and incorrect scores is no longer easily possible.

Further references:

• CVSS-Tampering: GitHub creates incorrect CVSS v4 scores aquasecurity/trivy#8042