Built-in Formulas

Use built-in formulas as a starting point to create or customize your own formulas.

Note: User role: Product Administrator

Risk rating

The risk rating is based on a combination of highest detected issue severity and business impact. Higher numbers indicate increased risk. Focus your security testing efforts on those applications first.

IF(businessimpact = 0, 0, IF(testingstatus > 0, 0, businessimpact * rr_maxseverity))

The default risk rating calculation results in a value (0 - 25). The values map to the description text in the summary charts.

Value Description
0 Unknown
1-8 Low
9-14 Medium
15-19 High
20-25 Critical
Note:
  1. If an application is not fully tested, or if the business impact is "unspecified", the risk rating is 0 (Unknown).
  2. If the testing status is marked "Completed", and there are no medium or high issues, business impact is not considered in the calculation. In this context, "Completed" does not mean that all vulnerabilities have been discovered, but rather that the vulnerabilities you care about have been resolved and the remaining issues do not pose any risk to the application.
  3. If you modify the risk rating formula, the Security Risk Rating trend chart changes as of the month when you change the formula.
Table 1. Application attribute formulas
Name Formula
RR_MaxSeverity IF(criticalissues > 0 , 5, IF(highissues > 0, 4, IF(mediumissues > 0, 3, IF(lowissues > 0, 2, 1))))
Max Severity IF(MAX(severity, status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect) > 0, MAX(severity, status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect), -1)
New issues COUNT(status=new,classification=definitive,classification=suspect)
Critical issues COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=critical)
High issues COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=high)
Medium issues COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=medium)
Low issues COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=low)
Open issues COUNT(status=new,status=open,status=reopened,status=inprogress,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low)
Fixed issues COUNT(status=fixed,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low)
Total issues COUNT(status=new,status=open,status=reopened,status=inprogress,status=fixed,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low)
Work in progress COUNT(status=inprogress,classification=definitive,classification=suspect,severity=critical,severity=high,severity=medium,severity=low)
Table 2. Issue attribute formulas
Name Formula
Severity IF(ISNULL(severityvalue, -1) = -1, cvss, severityvalue)
Overdue IF(classification=scancoveragefindings,0,IF(status=noise,0,IF(status=passed,0,IF(status=fixed,0,AGE()-IF(severity>10, 3, IF(severity>7.4, 5, IF(severity>5, 7, IF(severity>1.9, 14, 100))))))))
Note:
  1. v9.0.3.1 iFix2: In previous versions, the Overdue formula didn't include scan coverage findings in its calculations, and this caused a discrepancy in the numbers that were displayed in the Applications tab and Portfolio tab. As of v9.0.3.1 iFix2, you must edit the Overdue Formula so that it includes scan coverage findings. You must add IF(classification=scancoveragefindings,0, at the beginning of the formula, and add a closing bracket at the very end.
  2. AGE cannot be edited. It is the number of days since the issue was created.
  3. If you edit the ranges of the severity formula, you must also edit the overdue formula or it will by out of synch.
Here's how the Overdue formula breaks down: If the issue status is noise, passed, or fixed, then the issue is not overdue. Otherwise, the formula is "issue AGE - severity mapping".
Table 3. Mapping Severity to Number of days overdue
Severity range Value Number of days overdue
Greater than 10 Critical 3
Greater than 7.4 High 5
Greater than 5 Medium 7
Greater than 1.9 Low 14
Less than 1.9 Information 100