Recipe 9: Time-Based CVSS Policy

In many ways, this is just an advanced version of the previous policy. This rego sample is designed to flag packages in a specific repo that contain serious, outdated, but ultimately fixable vulnerabilities. In this case, we are also logging the reason for the policy match for further forensics.

rego

package cloudsmith

# Default match rule
default match := false

# Define maximum CVSS score threshold
max_cvss_score := 7

# Define time-based policy threshold (Vulnerabilities older than X days)
older_than_days := -30

# Define the target repository
target_repository := "acme-repo-one"

# Define CVEs to ignore
ignored_cves := {"CVE-2023-45853", "CVE-2024-12345"}

# Main match condition
match if {
    in_target_repository
    count(reason) != 0
}

# Check if the package belongs to the specified repository
in_target_repository if {
    input.v0.repository.name == target_repository
}

# Generate reasons for matching vulnerabilities
reason contains msg if {
    # Loop through all vulnerabilities
    # some vulnerability in input.v0.security_scan.Vulnerabilities (deprecated)
    some target in input.v0.security_scan
    some vulnerability in target.Vulnerabilities
   
    # Ignore specific CVEs
    not ignored_cve(vulnerability)

    # Only consider vulnerabilities with a fixed version
    vulnerability.FixedVersion
    vulnerability.Status == "fixed"

    # Ensure the CVSS score exceeds the threshold
    some _, val in vulnerability.CVSS
    val.V3Score >= max_cvss_score

    # Apply time-based filtering (only consider vulnerabilities older than X days)
    t := time.add_date(time.now_ns(), 0, 0, older_than_days)
    published_date := time.parse_rfc3339_ns(vulnerability.PublishedDate)
    published_date <= t

    # Message for logging the reason
    msg := sprintf(
        "CVSS Score: %v | Package: %v | Vulnerability: %v | Reason: %v",
        [val.V3Score, input.v0["package"].name, vulnerability.VulnerabilityID, vulnerability.Description]
    )
}

# Rule to check if CVE is ignored
ignored_cve(vulnerability) if {
    vulnerability.VulnerabilityID in ignored_cves
}

View policy on GitHub

Trigger Condition

rego

older_than_days := -30

When and How It's Triggered

This CVE was published on 24 April 2025 - much older than the 30 day threshold specified in the policy.

bash

pip download h11==0.14.0  
cloudsmith push python WORKSPACE/REPO h11-0.14.0-py3-none-any.whl \-k "API_KEY"

The policy implements time-based filtering by comparing each vulnerability's PublishedDate to a calculated cutoff date (older_than_days ago). If the vulnerability was published on or before that cutoff date, it's considered a match; anything newer is ignored.

Updated 3 weeks ago

Recipe 9: Time-Based CVSS Policy

rego

package cloudsmith

# Default match rule
default match := false

# Define maximum CVSS score threshold
max_cvss_score := 7

# Define time-based policy threshold (Vulnerabilities older than X days)
older_than_days := -30

# Define the target repository
target_repository := "acme-repo-one"

# Define CVEs to ignore
ignored_cves := {"CVE-2023-45853", "CVE-2024-12345"}

# Main match condition
match if {
    in_target_repository
    count(reason) != 0
}

# Check if the package belongs to the specified repository
in_target_repository if {
    input.v0.repository.name == target_repository
}

# Generate reasons for matching vulnerabilities
reason contains msg if {
    # Loop through all vulnerabilities
    # some vulnerability in input.v0.security_scan.Vulnerabilities (deprecated)
    some target in input.v0.security_scan
    some vulnerability in target.Vulnerabilities
   
    # Ignore specific CVEs
    not ignored_cve(vulnerability)

    # Only consider vulnerabilities with a fixed version
    vulnerability.FixedVersion
    vulnerability.Status == "fixed"

    # Ensure the CVSS score exceeds the threshold
    some _, val in vulnerability.CVSS
    val.V3Score >= max_cvss_score

    # Apply time-based filtering (only consider vulnerabilities older than X days)
    t := time.add_date(time.now_ns(), 0, 0, older_than_days)
    published_date := time.parse_rfc3339_ns(vulnerability.PublishedDate)
    published_date <= t

    # Message for logging the reason
    msg := sprintf(
        "CVSS Score: %v | Package: %v | Vulnerability: %v | Reason: %v",
        [val.V3Score, input.v0["package"].name, vulnerability.VulnerabilityID, vulnerability.Description]
    )
}

# Rule to check if CVE is ignored
ignored_cve(vulnerability) if {
    vulnerability.VulnerabilityID in ignored_cves
}

View policy on GitHub

When and How It's Triggered

This CVE was published on 24 April 2025 - much older than the 30 day threshold specified in the policy.

bash

pip download h11==0.14.0  
cloudsmith push python WORKSPACE/REPO h11-0.14.0-py3-none-any.whl \-k "API_KEY"

Updated 3 weeks ago