- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-20-2025 05:43 AM
Hi,
I'm currently facing a challenge in Vulnerability Response:
A customer would like extend Risk Ratings for the Vulnerable Item table. The way they have currently set this up seems to clash with how VR is meant to work out-of-the-box.
Can someone shed light on the inner workings and perhaps guide me on Best Practices?
The proper way how to set up custom or changed Risk Ratings is outlined in the Docs here (section "Vulnerability Risk Score Weights"). The customer has currently only extended and adjusted the Risk Rating field choices on Vulnerable Item instead of adjusting and adding Risk Score Weights or making up their own new Risk Score Weights type.
The Docs mention the Business Rule "Update Risk Rating from Risk Score", which is also mentioned in the community here.
However, the customer has currently set up a Vulnerability Calculator that is targeting the risk_rating field. He expects to be able to set Risk Rating via this mechanism instead of the comprehensive setup as outlined in the Docs link above.
His reasoning as far as I know stems from the fact that the newly created Calculator for the Risk Rating field does execute when using the UI Action "Calculate Risk Score" on a Vulnerable Item.
The code of the UI Action is a few rabbit holes deep. From skimming it I understand that it not only applies Calculators targeting the risk_score field. Instead it applies all calculators for the Vulnerable Item table, including their own Calculator for the risk_rating field.
To my mind, the Calculator targeting risk_rating should not have been implemented, as it seems to be "clashing" with the OOB Business Rule.
However I can't find any documentation in the Docs, Community or the learning material that says that you shouldn't use a Calculator for risk_rating.
I think the script order is pretty clear. The UI Action calls a chain of Script Includes, does a record update and then the Business Rule does its job, because it runs before record update.
The fact that it's still possible to set up a Calculator, which seems to "sidestep" the BR, make me think I'm missing crucial details.
In theory only the BR should be relevant, because that's the mechanism that calculates Risk Ratings when new VITs come in from the scanner.
Has anyone faced this issue before?
I hope the wall of text got the message across. I'm happy to share more info.
Thanks in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2025 07:20 AM
We were provided with a solution:
Although not explicitly forbidden or specified, you should not or rather must not use Calculators that target the Risk Rating field.
Instead you should update the Risk Score Weights (sn_sec_cmn_risk_score_weight) as described in this Docs article.
The reason for this is that Calculators are applied by the Business Rule "Calculate Risk Score", wich runs with the order of 50, but the BR "Update Risk Rating from Risk Score" (that uses Risk Score Weights to calculate the Risk Rating) runs with an Order of 100.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-31-2025 07:20 AM
We were provided with a solution:
Although not explicitly forbidden or specified, you should not or rather must not use Calculators that target the Risk Rating field.
Instead you should update the Risk Score Weights (sn_sec_cmn_risk_score_weight) as described in this Docs article.
The reason for this is that Calculators are applied by the Business Rule "Calculate Risk Score", wich runs with the order of 50, but the BR "Update Risk Rating from Risk Score" (that uses Risk Score Weights to calculate the Risk Rating) runs with an Order of 100.
