This article will describe the changes made to the severity scoring in the new Aqua CSP 5.0 major release.
Severity Scoring prior to Aqua CSP 5.0
When assigning a vulnerability score or severity rating, Aqua always gives preference to any vendor-supplied scoring, if available. This is because vendor-specific information is more accurate and relevant to how vulnerabilities affect their product specifically. If there is no vendor-specific scoring available, Aqua will use scoring assigned by the National Vulnerability Database (NVD).
There are two versions of the Common Vulnerability Scoring System that are used to assign severity rating, CVSS v2, and CVSS v3. The option to use CVSS v3 scoring is not enabled by default in an Aqua CSP deployment and can be enabled by navigating to System > Settings > Use vulnerability CVSS v3 scores (when available). Both the vendor and the NVD may assign a CVSSv2 score and CVSSv3 score for some vulnerabilities.
The following logic is used if CVSSv3 scoring is not enabled:
|Scoring Available||Score Used|
|Vendor CVSSv2 and NVD CVSSv2||Vendor CVSSv2|
|NVD CVSSv2 only||NVD CVSSv2|
The following logic is used if CVSSv3 scoring is enabled:
Vendor CVSSv3 and NVD CVSSv3
|Vendor CVSSv3 and NVD CVSSv2||Vendor CVSSv3|
|Vendor CVSSv2 and NVD CVSSv3||NVD CVSSv3|
If there are no CVSSv3 scores available, the logic refers back to the first table above.
Notice that when there is the CVSSv3 scoring is enabled, and there is no vendor CVSSv3 score available, the NVD v3 score is used. This has caused some confusion with the expected results as this logic prefers any CVSSv3 score available and not the vendor score even if only a CVSSv2 score is vendor provided.
Severity Scoring Updates in Aqua CSP 5.0
The changes made to how Aqua assigns vulnerability scores and severity ratings are geared so that the vendor-assigned severity ratings are always preferred, then vendor score, and finally the NVD score. This will help in maintaining consistency and accuracy in the Aqua CSP solution from the OS vendors that reflect a better understanding of how vulnerability can affect their specific products and aim to minimize the risk or remove the risk altogether.
The graphic below shows the new Aqua algorithm in action, notice the NVD score is only used in cases where no vendor severity or score is available:
You can also see below how are various vendor severity attributes handled by Aqua before and after Aqua 5.0:
|Vulnerability Source / Type||Severity before 5.0||Severity after 5.0|
|RedHat||Based on RedHat Score||Based on RedHat Severity|
|Debian||Based on NVD CVSS Score||Based on Debian Severity (when available)|
|Arch||Based on NVD CVSS Score||Based on Arch Severity|
|Ubuntu||Based on NVD CVSS Score||Based on Ubuntu Priority (when available)|
|Windows||Based on NVD CVSSv3 Score||Based on NVD (CVSS version based on client configuration)|
|Programming languages||Based on NVD CVSSv3 Score||Based on NVD (CVSS version based on client configuration)|
Aqua CSP 5.0 Scanning Results Examples:
1. Vendor Severity, if available:
CVE-2016-6313 has a vendor severity of High assigned, Aqua shows the High severity based on Ubuntu scoring. Aqua will also still show the breakdown of any scores, if available.
2. Vendor CVSS score, if available.
3. NVD v2/v3 score, no vendor information available:
CVE-2020-3909 has no vendor information available, but an NVD CVSSv3 score of 9.8, Aqua maps it to a Critical severity.
Both new Aqua customers who installed Aqua CSP 5.0, as well as existing customers upgrading to Aqua CSP v5.0, will benefit from these changes.
Benefits of this new severity scoring method are:
- Leveraging OS security advisories: The vendors’ security advisories have an interest in ranking down critical vulnerabilities when they have less impact on their OS, Aqua CSP 5.0 will reflect the vendors’ severity rankings for better consistency and accuracy
- Get better scan results that reflect the real severity (and risk) of the vulnerability
- Reduce false positives/negatives.
Did you find it helpful?Send feedback