WhiteSource Announces Extended Support for CVSS 3.0 Scores to its Vulnerabilities Database

June 7, 2018 David Habusha

What is CVSS 3.0?

The Common Vulnerability Scoring System (CVSS) provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures consistent and accurate measurement, while enabling users to see the underlying vulnerability characteristics that were used to generate the scores.

The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

CVSS 2.0 vs CVSS 3.0

NVD provides qualitative severity rankings of "Low", "Medium", and "High" for CVSS v2.0 base score ranges in addition to the severity ratings for CVSS v3.0 as defined in the CVSS v3.0 specifications.

The newer version of CVSS introduces a number of changes in the scoring system that reflect more accurately vulnerabilities that fall under the web application domain.

While all three metric groups:  the Base Score, the Temporal Score and the Environmental Score remained the same, new metrics such as Scope (S) and User Interaction (UI) were added. In addition, old metrics such as Authentication (Au) were changed to newer ones such as Privileges Required (PR).

The Scope metric differentiates between an exploited vulnerability that can only affect resources managed by the same authority. In this case, the vulnerable component and the impacted component are the same.

The Environmental Metrics group also saw a new addition with the Modified Base Metrics—allowing analysts to customize CVSS scores based on the host that has been affected in the analyst’s organization, making it contextual when necessary.

       CVSS v2.0 Ratings                                

  CVSS v3.0 Ratings

Severity

Base Score Range

  Severity

          Base Score Range

 

 

  None

          0.0

Low

0.0-3.9

  Low

          0.1-3.9

Medium

4.0-6.9

  Medium

          4.0-6.9

High

7.0-10.0

  High

          7.0-8.9

 

 

  Critical

          9.0-10.0

 

WhiteSource Adopts CVSS 3.0

WhiteSource, as the largest open source security vendor, acknowledges CVSS 3.0 as an open scoring standard which is understood and actively contributed to by the security community. The standard is commonly used in various implementations and uses cases.

WhiteSource supports CVSS 3.0 across its product and services, allowing users to:

  • Define open source security policies based on CVSS 3.0 scores

  • Configure open source security workflows based on CVSS 3.0 scores

  • Trigger open source security alerts based on CVSS 3.0 scores

  • Support CVSS 3.0 scores with metadata, including Base, Environmental, and Temporal score metrics in reports and views

  • Support CVSS 3.0 scores and metadata in all relevant APIs

WhiteSource’s Effective Usage Analysis technology utilizes the CVSS 3.0 scores to allow better effective vulnerability prioritization. However, we will continue to support CVSS 2.0 alongside CVSS 3.0 scores, for backward compatibility.

 
Previous Article
9 Great DevSecOps Tools for Dev Teams to Integrate Throughout the DevOps Pipeline
9 Great DevSecOps Tools for Dev Teams to Integrate Throughout the DevOps Pipeline

Next Article
Open Strategizing:  Key Considerations for an Open Source Strategy
Open Strategizing: Key Considerations for an Open Source Strategy