How issue severity is determined

AppScan® Enterprise determines issue severity by using a Severity formula or by using a 'Severity Value' issue attribute.

The Severity formula cannot be modified. However, you can change the predetermined value of the Severity Value attribute, and because it is used in the Severity formula, you can change the severity of an issue that way.

You can also modify the range values associated with the Severity formula. These ranges define the text display for numeric severity ranges. The text that is used as a range name, such as Information or Critical, is typically easier to understand when applied as a Severity grouping in the Application view than the numeric value that represents the Severity formula result.
Tip: If you change the numerical ranges of the Severity formula in the Issue Profile Template, amend the numeric values of the Severity Value attribute in the same template so that these values are in sync.

One of the predetermined values for Severity Value attribute is Use CVSS. When this value is used, the Severity formula uses the CVSS score to determine issue severity. If you use any other value for the Severity Value attribute, such as the Issue Type, that value is used as the issue severity instead of using the CVSS score calculation.

Critical Issue Severity

Sometimes you need to communicate an issue's criticality to development and management so that this particular issue gets prompt attention and likely gets fixed first. To differentiate this issue from other issues, set its Severity Value to Critical. Critical is a special severity value; its numeric value falls beyond the default ranges of severities, and it can be set only on an issue by issue basis during triage.

How CVSS and Severity are set for issues found by content scan jobs

The CVSS score for issues that are found by content scan jobs is automatically calculated because all of the required information is determined based on the type of the vulnerability that the issue represents.

When you change the issue's severity through the reports in AppScan® Enterprise, the Severity Value attribute of the issue is set to the same value. This process also applies when issues are upgraded from prior versions of AppScan® Enterprise.

How CVSS and Severity are set for issues imported into AppScan® Enterprise

Table 1. How CVSS and Severity are set for issues imported into AppScan® Enterprise

Imported issues
Issue origination How issue severity is determined
Import from all versions of AppScan® Source The information that contributes to the CVSS score calculation is not available in the import files. AppScan Enterprise sets the issue severity based on the Severity that is specified for the vulnerability's Issue Type. CVSS information is calculated based on the Vulnerability Type.
Import from AppScan® Standard version 9.0 and earlier The information that contributes to the CVSS score calculation is not available in the import files for issues that originate in older product versions. AppScan® Enterprise sets the issue severity based on the Severity that is specified for the vulnerability's Issue Type.
Import from AppScan® Standard version 9.0.1 and later The information that contributes to the CVSS score calculation is brought into AppScan® Enterprise during import, and the Severity Value is derived from the resulting CVSS score.
Import issues from CSV file The Scanner profile allows for mapping between the attribute columns in the CSV file and the issue attributes used by AppScan Enterprise. The CVSS score calculation and the resulting Severity depend on the information that is available in the CSV file and how it is mapped to the attributes that represent the CVSS metrics.

If the required CVSS attributes are available, AppScan Enterprise can use the CVSS formula to calculate the severity. If the CVSS score calculation is not available, AppScan Enterprise sets the issue severity based on the Severity value. If that is not available, it uses the default severity that is set on the vulnerability's Issue Type.
Import issues from AppScan Standard v9.0.3 Report XML file Report data from AppScan Standard v9.0.3 that is saved as an XML file can be imported into the Monitor view in AppScan Enterprise. The information that contributes to the CVSS score calculation is not available in the import file. AppScan Enterprise sets the issue severity value based on the Severity that is specified in the import file. CVSS information is calculated based on the Vulnerability Type.
Import issues from XML scanners AppScan Enterprise sets the issue severity based on the Severity value from the XML file.

How to keep manually set CVSS and Severity imported from AppScan® Source and AppScan® Standard

If you managed issues in AppScan® Source or AppScan Standard, and you want to keep these settings when you import these issues into AppScan® Enterprise, you can ask your Administrator to select the Use settings from imported file check box on the Administration > General Settings > Enterprise Console Settings page. When this setting is enabled, the processing rules that are described in the following table apply.

Table 2. How to keep manually set CVSS and Severity imported from AppScan® Source and AppScan® Standard
Issue origination How issue severity is determined
Import from all versions of AppScan® Source The information that contributes to the CVSS score calculation is not available in the import file for the issues. Issue severity and Severity Value attributes are set to the Severity specified in the import file.
Import from AppScan® Standard version 9.0 and earlier The information that contributes to the CVSS score calculation is not available in the import file for the issues. Issue severity and Severity Value attributes are set to the Severity specified in the import file.
Import from AppScan® Standard version 9.0.1 and later The information that contributes to the CVSS score calculation and manually set Severity are available in the import file, and both are set in AppScan® Enterprise as specified in that file.