- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-06-2022 10:44 AM
Hello - I am trying to understand the 'severity' in the NVD records ('sn_vul_nvd_entry') to use in the Vulnerability Calculator. Currently the OOB is using the field severity of the NVD record but I am noticing that not all records have this field populated.
From what I can see there are 3 'severity' fields in total:
1. Severity (normalized severity)
2. Source Severity (source_severity)
3. Risk Rating (risk_rating)
Unfortunately there is no consistency between which fields are populated for each record (fields seem to be populated at random). We currently have both Qualy and TVM integrations enabled and we're also pulling NVD from the VR integration with NVD, but even records from the same source (ex. NVD) has varying fields populated.
If anyone has been able to perfectly populate all fields (or at least have a consistent severity field for all NVD records) please let me know.
Thank you in advance.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-09-2022 08:59 AM
Please note: Not all NVD entries have complete information available. If you're importing older records, this could be because the information wasn't available in the previous score version. It could also be the case where a newly published CVE may not have the information available yet:
https://nvd.nist.gov/vuln-metrics/cvss
The normalized-severity is really used to map third-party entries into the same sort of severity scale used by the NVD. You can see more about creating normalized severity mappings here:
https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/task/create-severity-map.html
As such, the vast majority of your NVD entries should all have a "Severity" (normalized_severity) but will not make use of the "Source severity" field. The ones that don't should mostly be fairly recent ones that may not have incomplete information yet, or ones that were never completely populated. You can look them up in the mitre.org database to confirm. I suspect that if you filter your list, you'll see a bunch of 2022 entries that don't have the data and then just a handful each year from previous years.
Your integrations should be writing to the sn_vul_third_party_entry table rather than the NVD table. When they come in the business rule should cause the normalized mappings to calculate. If you imported the third party entries without the rules in place, you'd have to re-import them or mimic the logic in the baseline business rule to calculate the normalized severities.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-09-2022 08:59 AM
Please note: Not all NVD entries have complete information available. If you're importing older records, this could be because the information wasn't available in the previous score version. It could also be the case where a newly published CVE may not have the information available yet:
https://nvd.nist.gov/vuln-metrics/cvss
The normalized-severity is really used to map third-party entries into the same sort of severity scale used by the NVD. You can see more about creating normalized severity mappings here:
https://docs.servicenow.com/bundle/sandiego-security-management/page/product/vulnerability-response/task/create-severity-map.html
As such, the vast majority of your NVD entries should all have a "Severity" (normalized_severity) but will not make use of the "Source severity" field. The ones that don't should mostly be fairly recent ones that may not have incomplete information yet, or ones that were never completely populated. You can look them up in the mitre.org database to confirm. I suspect that if you filter your list, you'll see a bunch of 2022 entries that don't have the data and then just a handful each year from previous years.
Your integrations should be writing to the sn_vul_third_party_entry table rather than the NVD table. When they come in the business rule should cause the normalized mappings to calculate. If you imported the third party entries without the rules in place, you'd have to re-import them or mimic the logic in the baseline business rule to calculate the normalized severities.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-09-2022 12:19 PM
Thank you for the insight Alex! Definitely cleared up a lot of missing pieces.
