TABLE OF CONTENTS

Overview

Aqua assigns a severity (negligible, low, medium, high, or critical) and a numeric score (from 0.0 through 10.0) to each vulnerability found during image scanning. You can use Vulnerability Severity and/or Vulnerability Score controls in the Image Assurance Policies as criteria for evaluating image compliance. 


This topic describes the algorithms that Aqua uses to assign severity and score to vulnerabilities. They take into account, vulnerability ratings from both the OS vendor of the image and NVD, depends on the availability. 


NVD and vendor-assigned ratings

NVD assigns each vulnerability a CVSS v2.0 base score and/or a CVSS v3.0 base score. NVD ratings are based on the potential security exposures of the vulnerability in a wide variety of situations.


Vendor-supplied ratings, when available for a specific container image, are based on actual vendor analysis of the impact of the vulnerability on that image. As such, vendor-supplied ratings are generally more reliable and objective. Using vendor supplied ratings reduces the number of false alarms and false positives that you need to mitigate. Aqua uses the vendor supplied ratings (when available) instead of NVD ratings while assigning the severity and score of a vulnerability.


Let us take vulnerability CVE-2021-20271 as an example on a specific container image. Vulnerability severity and score are calculated by Aqua as explained below:

  • There is an OS vendor Red Hat which rates this vulnerability as having Moderate security impact, and assigns it a CVSS v3 base score of 6.7. Aqua uses the vendor supplied ratings to assign the vulnerability severity (medium, based on the vendor-specific term "moderate") and score (6.7).
  • The CVSS vulnerability rating on this, which includes a severity of "high" and a CVSS v3 base score of 7.0, are not used. It is noted that CVSS vulnerability rating is more severe than the vendor supplied rating.


Assigning the vulnerability severity

The following flowchart shows how Aqua sets severity for each vulnerability. Green shading indicates the use of vendor supplied ratings (when available) to set severity, which are preferred over NVD information. Explanations of each step follow the flowchart.



Step A1: Is there an OS vendor for the image?

This step is applicable if the container image has a OS vendor. If the OS vendor is listed in the first column of the following table, Aqua looks for a vendor issued severity for the vulnerability.


OS vendorBasis for the severity
Red HatRed Hat severity Ratings
DebianDebian Severity levels
UbuntuUbuntu priority
Arch LinuxArch Severity
SUSE Linux EnterpriseSUSE Severity
WindowsWindows Security Update Severity Rating System
CentOsIt uses Red Hat severity Ratings



Limitations: Aqua issues severity and score from NVD, if the:

- OS vendor of the image is not listed in the table. For example, Alpine
- Vulnerability in question was not found in an OS. For example, it was found in a programming language


Step A2: Has the vendor assigned a severity to the vulnerability?

Aqua looks for a vendor assigned severity for the vulnerability, by the OS vendor. The information examined is vendor-dependent, and is listed in the second column of the table above.


If there is a vendor assigned severity, proceed to Step A3, otherwise, refer to Step A4 to assign a severity using vendor assigned CVSS v3/v2 score.


Step A3: Map the vendor severity

Aqua looks for the vendor assigned severity for one of the values mentioned in the first column of the following table, and sets the severity mentioned in the second column, in Aqua. For example: If the vendor assigned severity is important, Aqua sets the vulnerability severity to high.


After the severity is assigned, refer to the Assigning the vulnerability score section below.


Corresponding vendor assigned severity descriptionsAssigned severity
ignored, negligible, no-dsa, not vulnerable, pending, postponed, undetermined, unimportant, unknownnegligible
lowlow
medium, moderatemedium
high, importanthigh
criticalcritical


Step A4: Has the vendor assigned a CVSS v3/v2 score to the vulnerability?

Aqua looks for a vendor assigned CVSS score (in v3 format and/or v2 format) from the OS vendor, to use it for assigning severity. If there is a vendor assigned CVSS score available, proceed to step A5, otherwise, refer to step A6.


Step A5: Use the vendor CVSS v3/v2 score to assign severity

In this step, Aqua uses the vendor assigned CVSS v3/v2 score to assign severity from the NVD website.


If there is only one vendor assigned CVSS score (either v3 or v2), the severity is set according to the "CVSS v3.0 Ratings" mapping table shown under "NVD Vulnerability Severity Ratings" on the NVD website. For example, If the vendor assigned score is 9.1, the severity is set to Critical.


If there are two vendor assigned scores (CVSS v3 and CVSS v2), the score used for mapping depends on the configuration of Aqua scan option Use CVSS v3 vulnerability scoring (when available). If this option is selected, the vendor v3 score is used. Otherwise, the vendor assigned v2 score is used. The severity is set according to the "CVSS v3.0 Ratings" mapping table, as described above.


Any changes made to the scan option Use CVSS v3 vulnerability scoring (when available) will take effect only after the relevant image is re-scanned.


Step A6: Use the NVD CVSS v3/v2 score to assign severity

If there is no OS vendor for the image, or the OS vendor does not provide either a severity or score, the NVD CVSS base score is used to assign the severity as described in step A5.


Assigning the vulnerability score

The following flowchart shows how Aqua sets score for each vulnerability. Green shading indicates the use of vendor assigned score (when available), which is preferred over the NVD score. Explanations of each step follow the flowchart.



Step B1: Is there an OS vendor for the image?

This step is applicable if the container image has a OS vendor. If the OS vendor is listed in the table mentioned in the Step A1, Aqua looks for a vendor issued score for the vulnerability.


Step B2: Has the vendor assigned a CVSS v3/v2 score to the vulnerability?

Aqua looks for a vendor assigned CVSS base score (in v3 format and/or v2 format) for the vulnerability, by the OS vendor. If there is a vendor assigned score, proceed to Step B3, otherwise, refer to Step B4.


Step B3: Map score from the vendor assigned CVSS v3/v2 score

  • If there is only one vendor assigned CVSS score (either CVSS v3 or CVSS v2 ), this score is set to the vulnerability
  • If there are two vendor assigned scores (both CVSS v3 and CVSS v2), the score used depends on the Aqua's scan option Use CVSS v3 vulnerability scoring (when available) selected from the Settings > Scanning page. If this option is selected, CVSS v3 score is set to the vulnerability. Otherwise, CVSS v2 score is set.

Step B4: Set score from the NVD CVSS v3/v2 score

Setting score from NVD is same same as that of Step B3. Only difference is that the NVD provided CVSS score(s) are used in place of the vendor-provided CVSS score(s) in this step.


Example: CVE-2020-7595

This example shows how Aqua assigns the severity and score that are appropriate for the image of the affected container image, in which vulnerability CVE-2020-7595 was found during scanning. 



Debian based image

The first case is that of a container image whose base image is the Debian OS. In the Vulnerability detail view, the UI shows that severity (negligible) is based on a Debian security advisory. You can view the specific advisory in the UI by clicking the text string Vendor No DSA.



The OS vendor, Debian, has assigned a severity of No DSA, which was mapped to the vulnerability severity of negligible. Refer to step A3. As the security advisory did not assign a CVSS score, the vulnerability score was set to the CVSS v3 score (7.5). For more information, refer to step A6.


Red Hat based image

In this case, CVE-2020-7595 was found in a container image whose base image is the Red Hat OS. In the Vulnerability detail view, the UI shows that severity (Medium) is based on the Red Hat issued rating. You can view the Red Hat issued rating in the UI by clicking the text string Vendor Moderate.



The vendor-assigned severity Moderate has been mapped to the vulnerability severity Medium in Aqua. The vulnerability score has been set to the vendor-assigned CVSS v3 score of 7.5.


Other OS based images

In this case, Let us look at, CVE-2020-7595 which was found in a container image whose base image is not listed in the table given in step A1. In the vulnerability detail view, the following information appears:



You can view the NVD issued security rating by clicking the text string NVD CVSSv3 7.5. Aqua sets the vulnerability score to the CVSS v3 score of 7.5 and also uses it as the basis to map vulnerability severity as High. For more information, refer to Step A6.