Container Vulnerability Response calculator rules

Release version: Washingtondc

Updated February 1, 2024

3 minutes to read

Summarize

Summarized using AI

Summary of Container Vulnerability Response Calculator Rules

The Container Vulnerability Response calculator rules automate risk score calculations for container vulnerable items (CVITs). The system evaluates conditions sequentially, applying the first matching calculator. Customers can view and create calculators in the Container Vulnerability Response module under Administration.

Show full answer Show less

Key Features

Vulnerability Severity Calculator: Computes risk scores based on normalized vulnerability severity.
Default Risk Calculator: Determines risk scores using predefined rules.
Notes Section Updates: For both calculator types, updates are recorded in the CVIT’s Notes section whenever the risk score changes, including details like calculator group name and contributions of weighted field values.
Script and Template Selection: Users can choose between script or template-based rules to modify calculator behavior, enabling customization of risk score updates.
Risk Score Weights: Risk ratings are assigned based on risk score thresholds, with the ability to add or modify weights in the Risk Score Weights table.
Work Notes Section: Changes to risk scores can be tracked in the Work notes section if the relevant system property is enabled.

Key Outcomes

By utilizing the Container Vulnerability Response calculator rules, ServiceNow customers can effectively automate the management of vulnerability risk scores, ensuring timely updates and clear documentation of changes. Proper configuration and use of the Risk Score Weights table enable enhanced risk rating customization, further supporting the remediation of container vulnerabilities.

Vulnerability calculators automate the calculation of initial values for the fields on container vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.

To view and create vulnerability calculators, navigate to All > Container Vulnerability Response > Administration > Vulnerability Calculators.

The Container Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the container vulnerable item. The following calculator groups are available in the base system:

Vulnerability Severity: Calculates the risk score for vulnerable items using the normalized vulnerability severity.
Default Risk Calculator: It’s based on the risk rule.

Note:

Starting with version 2.10 of Container Vulnerability Response, in case of:

Default Risk Calculator rule: Whenever the risk score on a container vulnerable item (CVIT) changes, the following details are documented in the Notes section of the CVIT:
- Calculator group name
- Calculator name
- Field values that have a weightage greater than 1 and their risk score contribution.
- Final risk score
Vulnerability Severity risk rule: Whenever the risk score is updated on a CVIT, the Notes section is updated with the following details:
- Calculator group name
- Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script. The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the work notes section. Starting with v2.12.2 of Container Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of a container vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.

Vulnerability Risk Score Weights

All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the container vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the container vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.


Value (Risk Rating)	Weight (Risk Score)
1	90–100
2	70–89
3	40–69
4	1–39
5	0

Starting with the 18.0 version of Vulnerability Response,

The risk rating types are shipped in the base table Risk Score Weights [sn_sec_cmn_risk_scorew_weights] as cvr_risk_rating. These types are passed as part of the business rules or script includes on each table where the risk rating is calculated.
The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
Modify the script to query the records in the base table.

You can access the Risk Score Weights table by entering sn_sec_cmn_risk_score_weight in the filter navigator.

In addition, the risk score is automatically recalculated in the following scenarios:

When a configuration item (CI) changes from non-internet facing to internet facing.
When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).

For more information, see Vulnerability Response calculators and vulnerability calculator rules.