A challenge in scoring vulnerabilities detected in web applications and REST-based applications is outright automation the scoring process. While software packages are scored using the CVSS standard (https://www.first.org/cvss/), this is not the case for the aforementioned applications. However several vulnerability information could be leveraged e.g. the vulnerability description, CWE (https://cwe.mitre.org/) and CVSS. Can machine learning approaches e.g. text vectorization be used to solve this challenge.

For example, if a web application vulnerability is described as "A XSS attack was reflected in a JSON response, this might leave content consumers vulnerable to attack if they don't appropriately handle the data (response)." and assigned CWE Id 79. Can a text matching algorithm grap specified keywords e.g. "XSS attack" and "JSON response" for analysis and scoring based on CWE and CVSS ?

A short research leads me to tensorflow's word2vec model (https://www.tensorflow.org/tutorials/representation/word2vec).

I will be happy to hear if such techniques exist, references to papers or resources are also welcome.