Container Vulnerability Response calculator rules

  • Release version: Yokohama
  • Updated January 30, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Container Vulnerability Response calculator rules

    Container Vulnerability Response calculator rules automate the calculation of initial risk scores for container vulnerable items (CVITs). These calculators evaluate conditions in sequence and apply the first matching rule. Customers can view and create these calculators viaAll > Container Vulnerability Response > Administration > Vulnerability Calculators. The base system includes two main calculator groups:Vulnerability SeverityandDefault Risk Calculator, both setting the foundational risk score for CVITs.

    Show full answer Show less

    Key Features

    • Vulnerability Severity Calculator: Computes risk scores based on normalized vulnerability severity.
    • Default Risk Calculator: Calculates risk using predefined risk rules and logs detailed score changes in the Notes section of CVITs starting with version 2.10.
    • Risk Score Change Documentation: Notes on CVITs capture calculator group/name, contributing field values, and final risk score. This can be extended to Work notes if the system property snseccmn.riskscorechangesaddworknotes is enabled (inactive by default since v2.12.2).
    • Customizing Calculators: Users can modify or view calculator rules in Advanced view, choosing between Template-based or Script-based value types to tailor risk score calculations.
    • Risk Score Weights and Ratings: Risk scores consider factors like severity and exploit information. Risk ratings are automatically updated via a business rule on the CVIT table. Since version 18.0 of Vulnerability Response, risk rating values and weights are stored in the Risk Score Weights [snseccmnriskscoreweight] table for easier configuration and extension.
    • Extensibility: Customers can add new risk rating types, labels, styles, and modify scripts/business rules accordingly to reflect customized risk rating schemes.
    • Automatic Risk Score Recalculation: Occurs when a configuration item changes internet-facing status or when CVEs/TPEs are linked to a Known Exploit Vulnerability (KEV).

    Practical Benefits for ServiceNow Customers

    By leveraging these calculator rules, customers can automate consistent, transparent, and auditable risk scoring of container vulnerabilities. The detailed logging in Notes and optionally in Work notes provides traceability of risk score changes, aiding compliance and analysis. The modular risk rating system allows adaptation to evolving organizational risk models. Automatic recalculation ensures risk ratings stay current with environment and threat changes, enabling proactive vulnerability management.

    Vulnerability calculators automate the calculation of initial values for the fields on container vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.

    To view and create vulnerability calculators, navigate to All > Container Vulnerability Response > Administration > Vulnerability Calculators.

    The Container Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the container vulnerable item. The following calculator groups are available in the base system:
    • Vulnerability Severity: Calculates the risk score for vulnerable items using the normalized vulnerability severity.
    • Default Risk Calculator: It’s based on the risk rule.
    Note:
    Starting with version 2.10 of Container Vulnerability Response, in case of:
    • Default Risk Calculator rule: Whenever the risk score on a container vulnerable item (CVIT) changes, the following details are documented in the Notes section of the CVIT:
      • Calculator group name
      • Calculator name
      • Field values that have a weightage greater than 1 and their risk score contribution.
      • Final risk score
    • Vulnerability Severity risk rule: Whenever the risk score is updated on a CVIT, the Notes section is updated with the following details:
      • Calculator group name
      • Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script. The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the work notes section. Starting with v2.12.2 of Container Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of a container vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.

    Vulnerability Risk Score Weights

    All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the container vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the container vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.
    Value (Risk Rating) Weight (Risk Score)
    1 90–100
    2 70–89
    3 40–69
    4 1–39
    5 0
    Starting with the 18.0 version of Vulnerability Response,
    • The risk rating types are shipped in the base table Risk Score Weights [sn_sec_cmn_risk_scorew_weights] as cvr_risk_rating. These types are passed as part of the business rules or script includes on each table where the risk rating is calculated.
    • The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
    • Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
    • Modify the script to query the records in the base table.
    You can access the Risk Score Weights table by entering sn_sec_cmn_risk_score_weight in the filter navigator.
    In addition, the risk score is automatically recalculated in the following scenarios:
    • When a configuration item (CI) changes from non-internet facing to internet facing.
    • When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).

    For more information, see Vulnerability Response calculators and vulnerability calculator rules.