Environment


Aqua Enterprise, CVE-2018-12699 (Debian)

 

Summary


A concrete example that further explains how Aqua Enterprise assigns vulnerability scores and seventies.

 

Description

Aqua gives precedence to the Vendor score and severity for all the performed image scan results [1].

 

Either when using the CVSS version 2, which is the default method, or whenever CVSS version 3 is configured in the Aqua console [2], the priority is always given to the Vendor score.

 

When CVSS version 3 is enabled, Aqua checks if the Vendor specifies it and if it is missing it gets overridden by the relevant CVSS version 3 NVD score.

 

Let’s take into consideration CVE-2018-12699 using CVSS version 2.

 

A screenshot of a social media post

Description automatically generated

 

In this case, the Aqua is score is set to Negligible since the Urgency by the vendor is unimportant

 

 

 

NVD score will not have a priority in this case


A screenshot of a social media post

Description automatically generated

 

However, when CVSS version 3 is enabled and its score is not available by the Vendor, Aqua will use the relevant NVD score.


A screenshot of a cell phone

Description automatically generated

 

A screenshot of a social media post

Description automatically generated

 

 

Related information