Built-in Formulas
Use built-in formulas as a starting point to create or customize your own formulas.
Note: User role: Product Administrator
Risk rating
The risk rating is based on a combination of highest detected issue severity and business impact. Higher numbers indicate increased risk. Focus your security testing efforts on those applications first.
IF(businessimpact = 0, 0,
IF(testingstatus > 0, 0, businessimpact * rr_maxseverity))
The default risk rating calculation results in a value (0 - 25). The values map to the description text in the summary charts.
| Value | Description |
|---|---|
| 0 | Unknown |
| 1-8 | Low |
| 9-14 | Medium |
| 15-19 | High |
| 20-25 | Critical |
Note:
- If an application is not fully tested, or if the business impact is "unspecified", the risk rating is 0 (Unknown).
- If the testing status is marked "Completed", and there are no medium or high issues, business impact is not considered in the calculation. In this context, "Completed" does not mean that all vulnerabilities have been discovered, but rather that the vulnerabilities you care about have been resolved and the remaining issues do not pose any risk to the application.
- If you modify the risk rating formula, the Security Risk Rating trend chart changes as of the month when you change the formula.
| Name | Formula |
|---|---|
| RR_MaxSeverity | IF(criticalissues > 0 , 5, IF(highissues > 0, 4, IF(mediumissues > 0, 3,
IF(lowissues > 0, 2, 1)))) |
| Max Severity | IF(MAX(severity,
status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect)
> 0, MAX(severity,
status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect),
-1) |
| New issues | COUNT(status=new,classification=definitive,classification=suspect) |
| Critical issues | COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=critical) |
| High issues | COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=high) |
| Medium issues | COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=medium) |
| Low issues | COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=low) |
| Open issues | COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low) |
| Fixed issues | COUNT(status=fixed,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low) |
| Total issues | COUNT(status=new,status=open,status=reopened,status=inprogress,status=fixed,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low) |
| Work in progress | COUNT(status=inprogress,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low) |
| Name | Formula |
|---|---|
| Severity | IF(ISNULL(severityvalue, -1) = -1, cvss, severityvalue) |
| Overdue | IF(classification=scancoveragefindings,0,IF(status=noise,0,IF(status=passed,0,IF(status=fixed,0,AGE()-IF(severity>8.9,
3, IF(severity>6.9, 5, IF(severity>3.9, 7, IF(severity>0, 14, 100))))))))Note:
|
Here's how the Overdue formula breaks down: If the issue status is noise,
passed, or fixed, then the issue is not overdue. Otherwise, the formula is "issue AGE - severity
mapping".
| Severity range | Value | Number of days overdue |
|---|---|---|
| Greater than 9.0 | Critical | 3 |
| Greater than 7.0 | High | 5 |
| Greater than 4.0 | Medium | 7 |
| Greater than 0.1 | Low | 14 |
| Less than 0.1 | Information | 100 |