On Thu, 10 Jan 2019, Daniel Heckenberg wrote:
A very specific CII badge aspect is that detection and timely remedy of CVSS v2 medium and high severity issues is required. coverity seems to have a report generator which performs this, but I haven't seen any direct or automatic way to map other C/C++ analysis tool outputs to CVSS scores. How is this usually done?I don't know about "usually", but I can tell you how we do it in curl (which incidentally also matches what I see in several other C/C++ projects).
In the curl project we run several static code analyzers, fuzzers etc on the code *before release* and we fix the issues we find, meaning that whatever these tools find never typically cause any CVSS scores at all. We fix those problems before release.
The security flaws we do get reported, are thus typically found by others (or tests that runs outside of our CI infra) or by our own developers on released code. They're not issued automatically by anyone and they're received and dealt with by humans.