Tenable.io plugin import and severity field in VR

MB6 · ‎05-04-2023

I have a fully working vulnerability response integration with tenable.io. We have a requirement to switch from CVSS 2.0 to CVSS 3.0 for severity calculation. We had changed the settings in Tenable.io from using CVSS 2.0 to CVSS 3.0 for severity and it correctly shows the plugin severity based on CVSS 3.0 in tenable.io. I had reimported the plugins in VR, however, the tenable plugin severity values in VR are still based on CVSS 2.0 score. An example would be plugin 174238 which has CVSS 2.0 medium but CVSS 3.0 high severity. We use the plugin severity value to map the risk rating for the VIT i.e. if the plugin severity is medium then risk rating is medium. Is there a fix to switch plugin severity calculation in VR from using CVSS 2.0 to using CVSS 3.0 for the plugin imported from tenable? I would rather keep the risk rating based on plugin severity in VR than to calculate it using the vulnerability score (v3) field instead.

Aaron Molenaar · ‎05-05-2023

We utilize Rapid7 and went through the same effort to move to CVSSv3. Rapid7 uses the v2 score as it's source severity and this is passed into VR, which then used this in the OOB configuration to determine severity (even though v3 may have been available). Plus we had to deal with other inconsistencies in how Rapid7 scores vulnerabilities.

We also struggled with normalizing several different types of manual spreadsheet imports from different sources (e.g. pen tests) that may or may not have had CVSS or had different scoring methods (e.g. severity 1-4).

To handle all the different use cases, we modified the "Lookup Normalized Severity" business rule on the Third Party Vulnerability Entry table to do the proper If-Else series depending on the source and what we trusted/preferred as the correct score from that source. We also had to modify the related ScriptInclude "SeverityMapping" to ensure the CVSS score rounding happened for all the sources where we preferred CVSS values, so that they would normalize correctly to the values specified in the Normalized Severity Maps table under VR Admin.

Hopefully this gives you a direction to start if you need to do your own configuration.

View solution in original post

Aaron Molenaar · ‎05-05-2023

We utilize Rapid7 and went through the same effort to move to CVSSv3. Rapid7 uses the v2 score as it's source severity and this is passed into VR, which then used this in the OOB configuration to determine severity (even though v3 may have been available). Plus we had to deal with other inconsistencies in how Rapid7 scores vulnerabilities.

We also struggled with normalizing several different types of manual spreadsheet imports from different sources (e.g. pen tests) that may or may not have had CVSS or had different scoring methods (e.g. severity 1-4).

To handle all the different use cases, we modified the "Lookup Normalized Severity" business rule on the Third Party Vulnerability Entry table to do the proper If-Else series depending on the source and what we trusted/preferred as the correct score from that source. We also had to modify the related ScriptInclude "SeverityMapping" to ensure the CVSS score rounding happened for all the sources where we preferred CVSS values, so that they would normalize correctly to the values specified in the Normalized Severity Maps table under VR Admin.

Hopefully this gives you a direction to start if you need to do your own configuration.

MB6 · ‎05-05-2023

Thank you for the insightful reply. It makes sense to adjust the business rule to cater for different scenarios.

Crystal · ‎08-29-2023

This post was super helpful to give guidance on how to move forward in this scenario. We are also in the same boat where we are using Tenable.io and want to be using the CVSS v3 scores. In the near future, when CVSS v4 is coming out, we will be able to quickly adjust using the same method.