Working on Common Vulnerability Scoring System v3 integration
While working on Common Vulnerability Scoring System v3 implementation, we have to make choices.
Some of them are easy, other tricky. As we already say, CVSSv3 and CVSSv2 can be affected to the same alert, and we must keep CVSSv2 for SCAP needs, and simply because some alerts does not have CVSSv3 (old alerts).
We must propagate the right score (and only one per alert). We cannot deal with 2 scores like the NVD, our alerts are linked (see crosslinks demo)
Alerts CVSS scoring priority (CVSSv2 vs CVSSv3)
We will define an Alert Scoring with some priority. Here is what we have chosen (Higher to Lower priority). It includes Base, Environmental and Temporal sub vectors.
- If Alert have a CVSSv3 and CVSSv2 vectors and user have at least an Environmental or a Temporal CVSSv3 vector:
Score will be based on CVSSv3+(TemporalCVSSv3 or/and EnvCVSSv3) vector
- Else if Alert have at least a CVSSv2 vector and user have no Environmental or Temporal CVSSv3 vectors, but an Environmental CVSSv2 or a Temporal CVSSv2 vector:
Score will be based on CVSSv2+(TemporalCVSSv2 or/and EnvCVSSv2) vector
- Else if Alert have at least a CVSSv3 vector and no Environmental and Temporal vectors:
Score will be based on CVSSv3 vector only
- Else if Alert have only a CVSSv2 vector and no Environmental and Temporal vectors vector:
Score will be based on CVSSv2 vector only
How we will compute an Alert Score with the new CVSSv3 Vector
Actually, it’s pretty simple and we follow the NVD CVSSv3 Calculator rules.
- Overall Score will be equal to Base Score if to Temporal Score and no Environmental Score
- Overall Score will be equal to Temporal Score if Temporal Score exist and no Environmental Score exist
- Overall Score will be equal to Environmental Score if Environmental Score exist
Base Score: 6.6 (Medium)
Temporal Score: 6.6 (Medium) because no Temporale Metrics are set
Environmental Score: 7.7 (High)
Overall Score: 7.7 (High)
Environmental CVSS vector for Monitored Product
As we will manage CVSSv3 and CVSSv2 Environmental vectors for Monitored Products, we have decided that if a CVSSv3 and a CVSSv2 Environmental vector are set, CVSSv2 will act as a fallback for alerts.
Errors can be reproduced with (for example) this vector:
View on: impactSubScoreMultiplier
Formula: (1 - ((1 - metricWeightC) * (1 - metricWeightI) * (1 - metricWeightA)));
Result: (1 - ((1 - 0.22) * (1 - 0) * (1 - 0)));
It’s a small difference but could lead to some errors on overall score. If someone could explain?
When CVSSv3 will be implemented on Security-Database?
Well, we are finishing the implementation. We think it will be done at the end of August. But our biggest problem is on our source which did not provide CVSSv3 for CVE until this fall. Of course we can retrieve them from their website, but we don’t like that method. We are actually searching a smart way to go live sooner than this fall.
Your comments on this note are welcome. Please, comment or share it. We really need your input on these. We must select the right rules and not change them in the ‘near’ future.
Thanks to all
The Security-Database Team