Modern Nessus (10.x+) nests CVSS scores under pluginattributes.risk_information
and CVEs under pluginattributes.ref_information.ref[?].values.value (where
name=='cve'). Previous code only checked the flat legacy locations, so:
- CVSS was always None for Nessus-only findings -> blank CVSS column,
blank CPR (CPR = CVSS x EPSS x 10 requires both)
- CVEs only found via regex fallback over the description text — missed
CVEs that were only listed in the structured ref array
Both extractors now check the modern path first, then the legacy flat
field, then regex as last resort. Existing Nessus findings get CVSS
populated on the next sync via the existing severity/cvss merge path.
vulncheck
f61de08d95