CVSS scores
The CVSS score reflects the overall security impact of a vulnerability, and is a composite score that reflects the metrics in three distinct categories: Base, Temporal, and Environmental.
The score is calculated based on the information (for example, values) that is available for one or more of these metrics. The more information that is available in each metric, the more focused the CVSS score becomes. In AppScan Enterprise, the values for each metric are mapped to the attributes of an issue (security vulnerability) or the application where the issue was found. These attributes cannot be deleted or modified in AppScan Enterprise, although you can modify their values.
| Metrics group | Metrics name | Issue or Application attribute | Definition required to calculate the CVSS score |
|---|---|---|---|
| Base | Attack Vector | Issue | Yes |
| Attack Complexity | Issue | Yes | |
| Privileges Required | Issue | Yes | |
| User Interaction | Issue | Yes | |
| Scope | Issue | Yes | |
| Confidentiality Impact | Issue | Yes | |
| Integrity Impact | Issue | Yes | |
| Availability Impact | Issue | Yes | |
| Temporal | Exploit Code Maturity | Issue | No* |
| Remediation Level | Issue | No* | |
| Report Confidence | Issue | No* | |
| Environmental These metrics also contribute to the overall severity rating of the application. |
Modified Base Metrics | Application | No* |
| Availability Requirement | Application | No* | |
| Confidentiality Requirement | Application | No* | |
| Integrity Requirement | Application | No* |
- * While it is not a requirement that these attributes be defined, the CVSS score is more focused when more metrics are defined to describe the issue.
- Any optional attribute that is not defined is not included in the CVSS score calculation.
- The CVSS score cannot be calculated if any required attribute is not defined. In this case, the issue severity is categorized as Undetermined.
-
For more information on the details of the CVSS metrics, refer the following links: