Unable to populate Vulnerability score (v3) (Qualys Integration for Security Operations application + New York)

Report Inappropriate Content · ‎01-20-2020

I am unable to populate Vulnerability score (v3) within vulnerability response > vulnerabilities > vulnerable items.

Troubleshooting steps:

I went to Qualys KB integration, set the ‘delta start date’ to 1-1-1990 and ran the import again. This step should have updated all the vulnerabilities to include the CVSS 3 score.

Any assistance is greatly appreciated.

andy_ojha · ‎01-20-2020

Hey Jarred - Given that no records are returned for that test query and you have CVSS enabled in Qualys:
- I would move on to opening a ServiceNow HI Support Ticket to get additional eyes on this

In the meantime:
- Is this a fresh installation of the ServiceNow Vulnerability Response and Qualys Apps?
- Was this installed on a previous version and then upgraded?
- Are you running version 8.x or version 9.x of each app?

View solution in original post

andy_ojha · ‎01-20-2020

Hey there,

What you are seeing is the expected functionality.

If you logon to your Qualys console online, navigate to the Qualys Knowledge Base and search for that specific QID -> you will see that only a "CVSS Base" is available, where the "CVSS v3 Base" is empty.

----------------------------------------------------------------------

In ServiceNow, you will see that the Third-Party Entry record (Vulnerability Library) for that exact QID does have a value in the field called `Vulnerability score (v2)` which maps to the "CVSS Base" that you see in Qualys ... it should be {6.4} in both ServiceNow and Qualys.

Navigate to Vulnerability Response > Libraries > Third-Party

- Search for that QID
- Validate that Vulnerability score (v2) is provided

For some QID entires you will see both CVSS v2 and CVSS v3, and for some QIDs depending on when that QID was published - you may only see CVSS v2 (if it is older).

----------------------------------------------------------------------

Are you looking to surface certain data points to users, or are you looking for data points to use in your Vulnerability Calculator?

Ideally you would want to use the Qualys Severity value as one of the overall inputs in your configured 'Vulnerability Calculator', to compute a Risk score (0-100) and Risk rating (Critical, High, Med, Low) for Vulnerable Items.

This way you consume the normalization that Qualys is already performing in their Severity calculations and can avoid writing logic around CVSS v2 / CVSS v3 / etc.

If you want to show the CVSS v2 and CVSS v3 scores on forms and lists you have the option to do that - but the drawback is CVSS v3 is not always provided for every QID; whereas Qualys Severity is always provided.

Hope that helps.

Reference:

https://discussions.qualys.com/docs/DOC-5767-qualys-severity-score-vs-cvss-scoring

Report Inappropriate Content · ‎01-20-2020

Hello,

Thank you for the quick response. I was able to pull QID that does have a CVSS v3 score but in VR the score does not populate. I am currently using Qualys severity but I also need to use CVSS3 for compliance requirements. Thank you for the information and the reference!

andy_ojha · ‎01-20-2020

Hey there - that is fair.

- Can you navigate to Vulnerability Response > Libraries > Third-Party

- In the condition builder, search for "Vulnerability score (v3) | Is not empty

- How many records are returned (as in more than 100K)?

Can you provide an example of that QID, where you seeing a CVSS v3 score in Qualys - but not on the corresponding Third-Party entry record?

Report Inappropriate Content · ‎01-20-2020

Hello,

- Can you navigate to Vulnerability Response > Libraries > Third-Party

check

- In the condition builder, search for "Vulnerability score (v3) | Is not empty

check

- How many records are returned (as in more than 100K)?

nothing populated.

QID in question is 256745