Aqua Enterprise, CVE-2018-12699 (Debian)
A concrete example that further explains how Aqua Enterprise assigns vulnerability scores and seventies.
Aqua gives precedence to the Vendor score and severity for all the performed image scan results .
Either when using the CVSS version 2, which is the default method, or whenever CVSS version 3 is configured in the Aqua console , the priority is always given to the Vendor score.
When CVSS version 3 is enabled, Aqua checks if the Vendor specifies it and if it is missing it gets overridden by the relevant CVSS version 3 NVD score.
Let’s take into consideration CVE-2018-12699 using CVSS version 2.
In this case, the Aqua is score is set to Negligible since the Urgency by the vendor is unimportant
NVD score will not have a priority in this case
However, when CVSS version 3 is enabled and its score is not available by the Vendor, Aqua will use the relevant NVD score.
Did you find it helpful?Send feedback