Summary


This article will describe the changes made to the severity scoring in the new Aqua CSP 5.0 major release. 


Severity Scoring prior to Aqua CSP 5.0


When assigning a vulnerability score or severity rating, Aqua always gives preference to any vendor-supplied scoring, if available.  This is because vendor-specific information is more accurate and relevant to how vulnerabilities affect their product specifically.  If there is no vendor-specific scoring available, Aqua will use scoring assigned by the National Vulnerability Database (NVD). 


There are two versions of the Common Vulnerability Scoring System that are used to assign severity rating, CVSS v2, and CVSS v3.  The option to use CVSS v3 scoring is not enabled by default in an Aqua CSP deployment and can be enabled by navigating to System > Settings > Use vulnerability CVSS v3 scores (when available).  Both the vendor and the NVD may assign a CVSSv2 score and CVSSv3 score for some vulnerabilities. 


The following logic is used if CVSSv3 scoring is not enabled:


Scoring AvailableScore Used
Vendor CVSSv2 and NVD CVSSv2Vendor CVSSv2
NVD CVSSv2 only
NVD CVSSv2


The following logic is used if CVSSv3 scoring is enabled:


Scoring Available
Score Used
Vendor CVSSv3 and NVD CVSSv3
Vendor CVSSv3
Vendor CVSSv3 and NVD CVSSv2Vendor CVSSv3
Vendor CVSSv2 and NVD CVSSv3NVD CVSSv3

If there are no CVSSv3 scores available, the logic refers back to the first table above.


Notice that when there is the CVSSv3 scoring is enabled, and there is no vendor CVSSv3 score available, the NVD v3 score is used.  This has caused some confusion with the expected results as this logic prefers any CVSSv3 score available and not the vendor score even if only a CVSSv2 score is vendor provided.


Severity Scoring Updates in Aqua CSP 5.0


The changes made to how Aqua assigns vulnerability scores and severity ratings are geared so that the vendor-assigned severity ratings are always preferred, then vendor score, and finally the NVD score.  This will help in maintaining consistency and accuracy in the Aqua CSP solution from the OS vendors that reflect a better understanding of how vulnerability can affect their specific products and aim to minimize the risk or remove the risk altogether.  


The graphic below shows the new Aqua algorithm in action, notice the NVD score is only used in cases where no vendor severity or score is available:





You can also see below how are various vendor severity attributes handled by Aqua before and after Aqua 5.0:

 

Vulnerability Source / TypeSeverity before 5.0Severity after 5.0
RedHatBased on RedHat ScoreBased on RedHat Severity
DebianBased on NVD CVSS ScoreBased on Debian Severity (when available)
ArchBased on NVD CVSS ScoreBased on Arch Severity
UbuntuBased on NVD CVSS ScoreBased on Ubuntu Priority (when available)
WindowsBased on NVD CVSSv3 ScoreBased on NVD (CVSS version based on client configuration)
Programming languagesBased on NVD CVSSv3 ScoreBased on NVD (CVSS version based on client configuration)


 

Aqua CSP 5.0 Scanning Results Examples:


1. Vendor Severity, if available:


    CVE-2016-6313 has a vendor severity of High assigned, Aqua shows the High severity based on Ubuntu scoring.      Aqua will also still show the breakdown of any scores, if available. 



2. Vendor CVSS score, if available.

   

3. NVD v2/v3 score, no vendor information available:


CVE-2020-3909 has no vendor information available, but an NVD CVSSv3 score of 9.8, Aqua maps it to a Critical severity.



Benefits:


Both new Aqua customers who installed Aqua CSP 5.0, as well as existing customers upgrading to Aqua CSP v5.0, will benefit from these changes. 


Benefits of this new severity scoring method are:


  • Leveraging OS security advisories: The vendors’ security advisories have an interest in ranking down critical vulnerabilities when they have less impact on their OS, Aqua CSP 5.0 will reflect the vendors’ severity rankings for better consistency and accuracy
  • Get better scan results that reflect the real severity (and risk) of the vulnerability
  • Reduce false positives/negatives.