Vulnerabilities

Does the project have unfixed known vulnerabilities?

This check determines whether the project has open, unfixed vulnerabilities.

Reference: OpenSSF Scorecard - Vulnerabilities.

Having unfixed known vulnerabilities increases the risk, proportionally to how much work and expertise are required for a successful exploit of the vulnerability, and its impact on the systems where the software is deployed.

An open vulnerability can be readily exploited by attackers and should be fixed as soon as possible.

The default configuration for the check uses the Open Source Vulnerabilities (OSV) or NIST National Vulnerabilities Database (NVD) databases. This is relevant for open-source projects.

As private projects typically do not publish detected vulnerabilities in OSV, the check could be configured with a URL pattern plus a 'unfixed vulnerabilities found' response pattern that could help with custom security advisories. But this may not work to detect unfixed vulnerabilities if your security advisories registry does not follow a structured format.

It is not easy, in a generic way, to detect unfixed vulnerabilities in non-standard vulnerability databases. This check may have 'false negatives': vulnerabilities that are unknown or known and unfixed but that cannot be found in the configured database(s).