Is cve2stix going to support CVSSv4?

CVSSv4 is now GA: Common Vulnerability Scoring System

As of June 27th 2024 it appears the NVD now support it: NVD - CVSS v4.0 Official Support

Are you planning on updating cve2stix to add CVSSv4 info to the STIX vulnerability objects?

Yes, we will, but we’re waiting on the NVD.

At the time of writing, NVD has not given any CVSS4 scores to CVEs:

https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&isCpeNameSearch=false&cvss_version=4

Until we can determine what the API response will look like (can’t find any info in the API schema) we can’t update the cve2stix code to account for them.

As soon as we have this, I plan to ship an update (track the progress here: Add support for CVSS 4.0 · Issue #3 · muchdogesec/cve2stix · GitHub)