Vulnerability calculators

Vulnerability calculators are used to update record values when pre-defined conditions are met. The calculators are grouped based on the criteria used to determine how the records are updated.

All enabled vulnerability calculators in the Vulnerability Calculator Group run each time a vulnerable item is changed or when the Calculate Business Impact related link in a vulnerable item is used.

The Vulnerability Response base system includes the vulnerability calculator called Score and Service Based Impact. It is contained in a Vulnerability Calculator Groups called Vulnerability Impact. Its purpose is to calculate the business criticality of a vulnerable item. It is based on the CVSS of the item and the criticality level of the most impacted business service. For more information on the CVSS, see the NVD website.

From an existing vulnerable item, if you click the Calculate Business Impact related link and Score and Service Based Impact is enabled, you get an on-demand calculation of the business criticality of the vulnerable item.
Note: The Calculate Business Impact related link is only visible when at least one vulnerability calculator is enabled.

Vulnerability calculators can prioritize and categorize vulnerabilities based on any custom criteria you want to use. For example, when the Score and Service Based Impact calculator is enabled, it prioritizes based on the importance of the business services relying on an affected CI. It is useful if the Business Services plugin is installed and Business impact is set to reflect your business priorities.

Calculators can be built to prioritize and rate the impact of Vulnerable Items based on any criteria you like. Whether it is the business impact of the vulnerability, the class of the CI, the age of the Vulnerable Item. A calculator can be written to reflect any set of priorities.

Note: The Score and Service Based Impact calculator is disabled by default.

How the Score and Service Based Impact calculator works

When a new vulnerable item is created, the Score and Service Based Impact calculator runs the following script:
var ciu = new global.CIUtils();
var services = ciu.servicesAffectedByCI(current.cmdb_ci.toString());
var hasSvc = false;
if (services.length > 0) {
    var svc = new GlideRecord(“cmdb_ci_service”);
    svc.addQuery(“sys_id”, “IN”, services.join(“,”));
    svc.addNotNullQuery(“busines_criticality”); // typo intended
    svc.orderBy(“busines_criticality”);
    svc.query();

    hasSvc = svc.next();
}
if (!hasSvc) {
    // Always set to lowest if there are no impacted services (or if none with criticality/impact set)
    current.business_criticality = 3; // lowest
} else {
    var svcCritChoices = GlideChoiceList.getChoiceList(“cmdb_ci_service”, “busines_criticality”);
    var svcCritSize = svcCritChoices.getSize();
    var viCritChoices = GlideChoiceList.getChoiceList(“sn_vul_vulnerable_item”, “business_criticality”);
    var viCritSize = viCritChoices.getSize();

    var bc = svc.getValue(“busines_criticality”);
    var bcWeight = 0;
    for (var i = 1; i <= svcCritSize; i++) {
        if (bc.startsWith(i))
            bcWeight = (svcCritSize + 1 - i) * 100 / svcCritSize;    
    }
The script performs the following functions:
  • First, it creates a list of all CIs that are linked to the vulnerable item and any business services that are marked as depending on the CI.
  • It queries and gets results of services that have business criticality (where criticality is not null), and orders them with the most critical ones first.
  • It gets the choice lists for the vulnerable item and business criticality fields.
  • If there are no business services in the list, the criticality is set to the lowest level.
  • If there are business services in the list, the business criticality for all services is calculated.
  • The weight of each vulnerable item is picked up from its CVSS score and is used to compute the new criticality.

When the computation is complete, the updated criticality is displayed in the Business impact field of the Vulnerable Item screen.

To prevent performance issues, when creating a calculator specify exactly when your severity calculator should or should not run. For example, when enabled, the Score and Service Based Impact calculator only runs when both a configuration item and vulnerability are present and if one of these items has changed. If neither has changed, there is no reason to assume that severity has changed. This specification is important if you have a script-based calculator.

If you create a calculator that uses a condition that checks to see if values have changed, when you click the Calculate Business Impact related link these conditions are removed. It assumes that by clicking the link you want to run the calculator even though items have not changed. If your calculator uses an Advanced condition, those conditions are not changed. To write a script that only considers if something changed when an item is updated see the Score and Service Based Impact script code as an example.