Container Vulnerability Response calculator rules
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Container Vulnerability Response Calculator Rules
The Container Vulnerability Response feature provides automated calculations for risk scores associated with container vulnerabilities. It includes multiple calculators that evaluate conditions to determine the initial values for fields on container vulnerable items (CVIs).
Show less
Key Features
- Vulnerability Calculators: The base system comes with two calculators:
- Vulnerability Severity: Calculates risk scores based on normalized vulnerability severity.
- Default Risk Calculator: Utilizes a risk rule for score determination.
- Notes Documentation: Changes to risk scores are logged in the Notes section of CVIs, detailing calculator groups, names, and risk score contributions.
- Customizable Rules: Users can select between template or script-based rules to modify risk score calculations.
- Risk Score Weights Management: Risk scores are assigned based on severity and other factors, with a business rule responsible for updating ratings.
Key Outcomes
With these features, ServiceNow customers can efficiently manage the risk assessment process for container vulnerabilities, ensuring that risk scores are accurately calculated and updated in real-time based on system changes. Additionally, customizing risk rating types and maintaining accurate documentation enhances visibility and accountability in vulnerability management.
Vulnerability calculators automate the calculation of initial values for the fields on container vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.
To view and create vulnerability calculators, navigate to .
The Container Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the container vulnerable item. The following calculator groups are available in the base system:
- Vulnerability Severity: Calculates the risk score for vulnerable items using the normalized vulnerability severity.
- Default Risk Calculator: It’s based on the risk rule.
Note:
Starting with version 2.10 of Container Vulnerability Response, in case of:
- Default Risk Calculator rule: Whenever the risk score on a container vulnerable item (CVIT) changes, the following details are documented in the Notes section of the CVIT:
- Calculator group name
- Calculator name
- Field values that have a weightage greater than 1 and their risk score contribution.
- Final risk score
- Vulnerability Severity risk rule: Whenever the risk score is updated on a CVIT, the Notes section is updated with the following details:
- Calculator group name
- Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script. The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the work notes section. Starting with v2.12.2 of Container Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of a container vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
Vulnerability Risk Score Weights
All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the container
vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the container vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.
Starting with the 18.0 version of Vulnerability Response,
| Value (Risk Rating) | Weight (Risk Score) |
|---|---|
| 1 | 90–100 |
| 2 | 70–89 |
| 3 | 40–69 |
| 4 | 1–39 |
| 5 | 0 |
- The risk rating types are shipped in the base table Risk Score Weights [sn_sec_cmn_risk_scorew_weights] as cvr_risk_rating. These types are passed as part of the business rules or script includes on each table where the risk rating is calculated.
- The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
- Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
- Modify the script to query the records in the base table.
In addition, the risk score is automatically recalculated in the following scenarios:
- When a configuration item (CI) changes from non-internet facing to internet facing.
- When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).
For more information, see Vulnerability Response calculators and vulnerability calculator rules.