CVSS settings

You can manually fine-tune the severity setting for a specific issue based on CVSS (Common Vulnerability Scoring System) metrics. This is done from the Issue Information toolbar, by clicking Severity > CVSS Settings.

AppScan uses the CVSSv2 standard.


CVSS metrics for an issue
To adjust the metrics:
  • From the CVSS window, click on the name of one of the three sections topen that section for configuration.
  • You can restore the default settings by clicking the Restore icon, which becomes active when changes are made.

edited CVSS metrics for an issue

Base metrics

These are metrics of the vulnerability that are constant over time and across user environments.

Metric

Explanation

Options

Access Vector

Whether the vulnerability can be exploited only locally, also from adjacent networks, or from any network connection ("remotely exploitable").

Local, Adjacent Network, Network

Access Complexity

The difficulty involved in exploiting this vulnerability.

High, Medium, Low

Authentication

The number of times an attacker must authenticate to exploit the vulnerability.

None, Single, Multiple

Confidentiality Impact

The impact on confidentiality if this vulnerability is successfully exploited.

None, Partial, Complete

Integrity Impact

The extent to which system integrity (the accuracy of information supplied by the application) is compromised if this vulnerability is successfully exploited.

None, Partial, Complete

Availability Impact

The impact on the availability of information resources if this vulnerability is successfully exploited.

None, Partial, Complete

Temporal metrics

These are metrics of the vulnerability that may change over time.

Metric

Explanation

Options

Exploitability

The current state of exploit techniques utilizing this vullnerability.

Unproven, Proof-of-Concept, Functional, High, Not Defined

Remediation Level

The level of remediation available to protect against the vulnerability.

Official Fix, Temporary Fix, Workaround, Unavailable, Not Defined

Report Confidence

The degree of confidence in the existence and technical details of the vulnerability.

Unconfirmed, Uncorroborated, Confirmed, Not Defined

Environmental metrics

These metrics reflect the application environment, and should be set globally using the Configuration dialog box > Environmental Metrics tab. Change them here only if this vulnerability is specific to a part of the application environment that has different characteristics.

Metric

Explanation

Options

Collateral Damage Potential

The potential for damage or theft if the application is vulnerable.

None, Low, Low-Medium, Medium, Medium-High, High, Not Defined

Target Distribution

The proportion of systems in the environment that are potential targets.

None, Low, Medium, High, Not Defined

Availability Requirement

The relative importance of availibility (of information).

None, Low, Medium, High, Not Defined

Confidentiality Requirement

The relative importance of confidentiality (of user information).

None, Low, Medium, High, Not Defined

Integrity Requirement

The relative importance of integrity (accuracy) of information.

None, Low, Medium, High, Not Defined