What is CVSS?
Common Vulnerability Scoring System (CVSS) is an open framework for communicating about computer security vulnerabilities maintained by the Forum of Incident Response and Security Teams (FIRST). It is used by, among others, the National Vulnerability Database (NVD) and the National Institute of Standards and Technology (NIST) in the US. It uses a numerical score describing how severe a vulnerability is considered to be and a coded vector describing the nature of the vulnerability in question.
Managing, prioritizing, and fixing vulnerabilities is top priority for security teams. However, because different vendors are focused on different parts of the IT infrastructure, they often utilize different rating systems to describe the importance of those vulnerabilities. This makes it difficult for organizations to compare and prioritize vulnerabilities across the entire infrastructure.
The CVSS overcomes that challenge by using a single common vulnerability scoring system across the entire IT stack. In CVSS v3, complexity, privilege, and user interaction are all associated to a particular vulnerable component, along with confidentiality, integrity and availability needs. That means that if a feature in component A is extremely vulnerable, and causes something bad to happen in component B, the CVSS rating system will calculate the end-to-end vulnerability score. In addition, users can now customize their base CVSS score based on their own internal IT security risk profile.
The CVSS Score has three components: The Base, Temporal, and Environmental metrics.
-
The Base metric measures intrinsic aspects of the vulnerability, primarily how easy it is to take advantage of it and what kind of damage can be done if it is exploited. This value is set by Black Duck based on the CVSS guidelines.
-
The Environmental metric reflects the specific circumstances applicable to this asset and can be modified by the customer as part of a Vulnerability Policy or for a specific instance of a vulnerability. See Customizing Your Risk Ratings for more information.
-
The Temporal metric reflects the maturity level of the exploit and the remediation that is available, if any.
The CVSS Base and Environmental Score, as a total can be displayed on the vulnerability detail pages. In the Attack Vector Detail Report and Vulnerability Detail Report turn on the option to show the CVSS Score in the report generation screen.
Findings Tab
To enable CVSS scores from the Findings tab, perform the following steps:
-
Click Findings.
-
Click Show CVSS Score.
-
An additional column is displayed in the Vulnerability Management table.
-
To hide the CVSS Score, click Hide CVSS Score.
Report Generation
CVSS Scores can be included in the Vulnerability Detail Report for Sites, APIs or in the Attack Vector Detail Reports. To enable CVSS Scores when generating reports, perform the following steps:
-
Select the Reports tab.
-
Select the type of report to generate:
-
Sites
-
APIs
-
Groups
-
-
Under the Filter Options, click the Yes radio button.
-
Click Generate Report.
Reports generated will now include the CVSS Scores.
How Does CVSS Work?
The CVSS score is calculated in two parts:
-
A Base CVSS score: is primarily determined by the vulnerability itself, what access is required to exploit it and what kind of damage can it do.
-
Environmental CVSS score: considers the asset that has the vulnerability and what the needs of that asset are for confidentiality, integrity, availability, and can consider modifications that may affect how easy it is to exploit the vulnerability in this specific case.
See CVSSv3 Factors for a deeper understanding of the factors used to calculate CVSS scores and the effect of various changes, you can also go to https://www.first.org/cvss/calculator/3.0 to explore how changes to these values affect the CVSS scores.