Container Vulnerability Response calculator rules
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Container Vulnerability Response Calculator Rules
The Container Vulnerability Response calculator rules automate the initial value calculations for fields on container vulnerable items. The system evaluates the calculators in order, applying the first matching calculator. You can access and create vulnerability calculators by navigating to All > Container Vulnerability Response > Administration > Vulnerability Calculators.
Show less
Key Features
- Calculator Groups: The base system includes two groups that set a base Risk Score:
- Vulnerability Severity: Calculates risk scores based on normalized vulnerability severity.
- Default Risk Calculator: Based on predefined risk rules.
- Notes Section Updates: Changes to risk scores are documented in the Notes section of the container vulnerable item (CVIT), including details like calculator group name, calculator name, contributing field values, and final risk score.
- Modification Options: You can modify or view calculator rules in the Advanced view, selecting between template and script options for risk score updates.
- Risk Score Weights: Risk scores are calculated based on severity and criticality, with business rules ensuring automatic updates to risk ratings when risk scores change.
Key Outcomes
By utilizing these calculator rules, ServiceNow customers can expect a streamlined process for assessing and managing risk associated with container vulnerabilities. The system provides automated updates, ensuring accurate risk assessments and facilitating prompt responses to vulnerabilities. Additionally, customers can customize risk scoring to fit their specific operational needs, enhancing overall security posture.
Vulnerability calculators automate the calculation of initial values for the fields on container vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.
To view and create vulnerability calculators, navigate to .
The Container Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the container vulnerable item. The following calculator groups are available in the base system:
- Vulnerability Severity: Calculates the risk score for vulnerable items using the normalized vulnerability severity.
- Default Risk Calculator: It’s based on the risk rule.
Note:
Starting with version 2.10 of Container Vulnerability Response, in case of:
- Default Risk Calculator rule: Whenever the risk score on a container vulnerable item (CVIT) changes, the following details are documented in the Notes section of the CVIT:
- Calculator group name
- Calculator name
- Field values that have a weightage greater than 1 and their risk score contribution.
- Final risk score
- Vulnerability Severity risk rule: Whenever the risk score is updated on a CVIT, the Notes section is updated with the following details:
- Calculator group name
- Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script. The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the work notes section. Starting with v2.12.2 of Container Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of a container vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
Vulnerability Risk Score Weights
All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the container
vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the container vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.
Starting with the 18.0 version of Vulnerability Response,
| Value (Risk Rating) | Weight (Risk Score) |
|---|---|
| 1 | 90–100 |
| 2 | 70–89 |
| 3 | 40–69 |
| 4 | 1–39 |
| 5 | 0 |
- The risk rating types are shipped in the base table Risk Score Weights [sn_sec_cmn_risk_scorew_weights] as cvr_risk_rating. These types are passed as part of the business rules or script includes on each table where the risk rating is calculated.
- The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
- Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
- Modify the script to query the records in the base table.
In addition, the risk score is automatically recalculated in the following scenarios:
- When a configuration item (CI) changes from non-internet facing to internet facing.
- When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).
For more information, see Vulnerability Response calculators and vulnerability calculator rules.