How Your Vulnerability Ratings are Determined
The most significant factor in determining vulnerability rating is the Rating Methodology set for your account in the Continuous Dynamic Portal. Black Duck strongly recommends that users utilize the Advanced Rating Methodology, which allows sites and applications to be evaluated using the same standards and rating scale.
In addition, only those users using the Advanced Rating Methodology can set priorities for their sites, which enables efficient prioritization and remediation of vulnerabilities according to business needs.
The goal of rating a vulnerability is to provide a single measurement that will reflect:
-
Impact - The amount of damage that could be done if a given vulnerability is exploited.
-
Likelihood - How easily that vulnerability could be exploited.
-
Priority - (Sites only) How important this asset is to the user’s business.
If using the Advanced Rating Methodology users can also choose to set a Priority which is factored into the Impact set by Black Duck to produce a Net Impact.
Rating the Vulnerability
The Impact if no priority is set, or Net Impact is used along with the Likelihood to generate the Rating. The Likelihood associated with Directory Traversal is Low, so if we consult this table, also shown in Understanding the Rating Methodologies, we can see the results:
Likelihood |
|||
|---|---|---|---|
Net Impact |
Low Likelihood |
Medium Likelihood |
High Likelihood |
Low Impact |
Risk: Note |
Low Risk |
Medium Risk |
Medium Impact |
Low Risk |
Medium Risk |
High Risk |
High Impact |
Medium Risk |
High Risk |
Critical Risk |
If no Priority were set for either site, the vulnerability would have an Impact of High and a Likelihood of Low, and the final rating would be Medium.
Priority can have a significant impact on the Risk Rating given to a particular vulnerability on a particular asset, see "Understanding Asset Priority" for more details.