Calculate weighted_severity, exploitibility and risk score for a AdvisorySet

[TG1999]

Since we are now grouping advisories at presentation level. We also need to think on a cumulative risk score, exploitibility and weighted severity of that group. Like if we have multiple advisories with their own weighted severity, exploitibilty and risk score. How shall we calculate weighted severity, exploitibility and risk score of a group ?

[DennisClark]

Since we already for package risk score calculation take maximum risk score of all advisories affecting that package, I think we should continue with that approach for an advisory set.

[TG1999]

@DennisClark thanks! What about weighted severity and exploitability ? Would they also be max of the advisory too ?

Or would we get max weighted severity and max exploitability of the advisory set and then use them to compute risk score?

Since risk score is calculated like this

risk_score = min(float(advisory.exploitability * advisory.weighted_severity), 10.0)
risk_score = round(risk_score, 1)

Weighted severity is always taken as the max of the all weighted severities

And

Exploitibility is also taken as maximum (2) if an advisory has Exploits or EPSS score on it with severity of 0.8, if none of this holds true and if there is a reference of type EXPLOIT we give exploitability of 1 and if that's not the case as well we give 0.5 as default

So IMO, weighted_severity of an AdvisorySet should be max(weighted_severity of all advisories) and exploitability of an AdvisorySet should be max(exploitability of all advisories). And the risk score should be calculated using above formula.