Vulnerability calculators automate the calculation of initial values for the fields on container vulnerable items. The condition for each calculator is evaluated in order, and the first matching calculator is used.

To view and create vulnerability calculators, navigate to All > Container Vulnerability Response > Administration > Vulnerability Calculators.

The Container Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the container vulnerable item. The following calculator groups are available in the base system:
  • Vulnerability Severity: Calculates the risk score for vulnerable items using the normalized vulnerability severity.
  • Default Risk Calculator: It’s based on the risk rule.
Note: Starting with version 2.10 of Container Vulnerability Response, in case of:
  • Default Risk Calculator rule: Whenever the risk score on a container vulnerable item (CVIT) changes, the following details are documented in the Notes section of the CVIT:
    • Calculator group name
    • Calculator name
    • Field values that have a weightage greater than 1 and their risk score contribution.
    • Final risk score
  • Vulnerability Severity risk rule: Whenever the risk score is updated on a CVIT, the Notes section is updated with the following details:
    • Calculator group name
    • Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script.

Vulnerability Risk Score Weights

All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the container vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the container vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.
Value (Risk Rating)Weight (Risk Score)
1 90–100
2 70–89
3 40–69
4 1–39
5 0
Starting with the 18.0 version of Vulnerability Response,
  • The risk rating types are shipped in the base table Risk Score Weights [sn_sec_cmn_risk_scorew_weights] as cvr_risk_rating. These types are passed as part of the business rules or script includes on each table where the risk rating is calculated.
  • The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
  • Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
  • Modify the script to query the records in the base table.
You can access the Risk Score Weights table by entering sn_sec_cmn_risk_score_weight in the filter navigator.
In addition, the risk score is automatically recalculated in the following scenarios:
  • When a configuration item (CI) changes from non-internet facing to internet facing.
  • When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).

For more information, see Vulnerability Response calculators and vulnerability calculator rules.