CVSS settings
You can manually fine-tune the severity setting for a specific issue based on CVSS (Common Vulnerability Scoring System) metrics. This is done from the Issue Information toolbar, by clicking Severity > CVSS Settings.
AppScan uses the CVSSv2 standard.
- From the CVSS window, click on the name of one of the three sections topen that section for configuration.
- You can restore the default settings by clicking
, which becomes active when changes are made.
Base metrics
These are metrics of the vulnerability that are constant over time and across user environments.
Metric |
Explanation |
Options |
|---|---|---|
Access Vector |
Whether the vulnerability can be exploited only locally, also from adjacent networks, or from any network connection ("remotely exploitable"). |
Local, Adjacent Network, Network |
Access Complexity |
The difficulty involved in exploiting this vulnerability. |
High, Medium, Low |
Authentication |
The number of times an attacker must authenticate to exploit the vulnerability. |
None, Single, Multiple |
Confidentiality Impact |
The impact on confidentiality if this vulnerability is successfully exploited. |
None, Partial, Complete |
Integrity Impact |
The extent to which system integrity (the accuracy of information supplied by the application) is compromised if this vulnerability is successfully exploited. |
None, Partial, Complete |
Availability Impact |
The impact on the availability of information resources if this vulnerability is successfully exploited. |
None, Partial, Complete |
Temporal metrics
These are metrics of the vulnerability that may change over time.
Metric |
Explanation |
Options |
|---|---|---|
Exploitability |
The current state of exploit techniques utilizing this vullnerability. |
Unproven, Proof-of-Concept, Functional, High, Not Defined |
Remediation Level |
The level of remediation available to protect against the vulnerability. |
Official Fix, Temporary Fix, Workaround, Unavailable, Not Defined |
Report Confidence |
The degree of confidence in the existence and technical details of the vulnerability. |
Unconfirmed, Uncorroborated, Confirmed, Not Defined |
Environmental metrics
These metrics reflect the application environment, and should be set globally using the Configuration dialog box > Environmental Metrics tab. Change them here only if this vulnerability is specific to a part of the application environment that has different characteristics.
Metric |
Explanation |
Options |
|---|---|---|
Collateral Damage Potential |
The potential for damage or theft if the application is vulnerable. |
None, Low, Low-Medium, Medium, Medium-High, High, Not Defined |
Target Distribution |
The proportion of systems in the environment that are potential targets. |
None, Low, Medium, High, Not Defined |
Availability Requirement |
The relative importance of availibility (of information). |
None, Low, Medium, High, Not Defined |
Confidentiality Requirement |
The relative importance of confidentiality (of user information). |
None, Low, Medium, High, Not Defined |
Integrity Requirement |
The relative importance of integrity (accuracy) of information. |
None, Low, Medium, High, Not Defined |