Reviewing our product, you may have come across our Scan Settings in the Web UI, under Configuration > Settings > Scanning, where you can choose whether to "Use CVSSv3 Scoring (When Available)"...but what does it mean, and how does it differ? Most importantly, how do you choose which to use?

If you're looking for a quick answer: In general, we recommend using the CVSSv3 scoring system, as it is newer than the older v2 system.

However, this is sometimes complicated by the addition of vendor scores. Vendor scores are additional values, released by OS vendors, that are made to supercede the "standard" CVSS value in cases where the vendor has additional vulnerability information not available through the NVD.

A great example of this would be a vulnerability stating that Bash 1.0 is vulnerable to an attack, and that it is fixed in Bash 1.1, with a high vulnerability score as the attack would be devastating. You may be running Red Hat and using Bash 1.0, so you'd receive a "high" rating from the "vanilla" CVSS scoring system.

However, Red Hat might have provided the package as a live binary, rather than a static package, and patched it before installing. This would mean that the system is no longer vulnerable, despite technically still running Bash 1.0 and having all of the standard Bash 1.0 files in your system (which would be detected by our scanner). This means you'd receive a "negligible" vendor score for this vulnerability (aka compliancy)

All of this is to say that Vendor scores are extremely important if the vendor of your Base Image OS maintains and curates a vulnerability database providing such scores.

CVSS v2 or V3?

With that above out of the way, we can now discuss CVSSv2 cs CVSSv3 scoring. v3 is a newer standard than v2, and so should be utilized wherever possible. That said, because of it's relatively young age, it's important to note that some OS Vendor databases do not include CVSSv3 Vendor Score data. When this happens, you will be relying instead on CVSSv3 vanilla information, that may be leaving out details.

There is no singular way to determine whether every vulnerability in your system contains vendor data, however in the newest releases of Aqua CSP, we will differentiate visually between CVSSv2 and CVSSv3, as well as Vendor Scores for each, in your Risk-Based Insights tab under Vulnerabilities.

To Recap: Vendor info provides important addendums and modifications to standard CVSS scoring. CVSSv3 is newer and preferred as a scoring system, but may lack Vendor scores if the OS vendor has not yet created them. In general, we advise using CVSSv3, and most vendors do indeed have scores created for it; that said, not all of them do, so it's worth bearing it in mind.