Application vulnerability calculators automate calculating initial risk values for the fields on application vulnerable items (AVIs). Risk calculations offer insight into prioritizing remediation. The condition for each calculator is evaluated in order, and the first matching calculator is used.

Application Vulnerability Calculators

The Application Vulnerability Response base system includes two vulnerability calculators that set the base Risk Score on the application vulnerable item.
  • Basic Risk Calculator
  • Advanced Risk Calculator

Application vulnerability calculators can be built to prioritize and rate the impact of AVIs based on any criteria by using condition filters. Whether it’s the business impact of the vulnerability, the class of the configuration item (CI), or the age of the AVI, you can create additional vulnerability calculators to set other fields on AVIs. Or you can customize the existing vulnerability calculators. A calculator can be written to reflect any set of priorities. See Filtering within Application Vulnerability Management for more information.

AVIs contain the Risk Score value derived from the risk calculators.
Note: An AVI displays Source Severity but not normalized severity. Normalized severity is used by the calculators to get the Risk Score value but isn’t shown on AVIs.

Each calculator contains a list of calculator rules, with a condition determining when to apply it. When the calculator is run, the condition for each calculator rule is evaluated in order, and the first matching calculator rule is used.

All enabled vulnerability calculators set the selected fields each time that an AVI is created, when an associated CI or vulnerability changes.

The Basic Risk calculator calculates Risk Score for AVIs using the normalized vulnerability severity.
Note: Only one calculator per target field (Risk Score) can be active at a time.

The Basic Risk is enabled by default. The Advanced Risk Calculator is inactive by default.

Application vulnerability calculator rules

The base system Basic Risk Calculator calculator contains calculator rules that assign each level of severity (None to Critical) a value (0-100) for Risk Score based on severity. Unknown Severity is automatically assigned a risk score of 100. These values can be adjusted and, like Advanced Risk Calculator, new calculator rules or new risk rules can be created.
Note: Starting with v23.0 of Application Vulnerability Response, whenever the risk score is updated on an AVIT, the Notes section is updated with the following details:
  • Calculator group name
  • Calculator name: Depending on whether the calculator rule is based on a template or a script, the name is appended with the details in brackets. To modify or view the basis of the calculator rule, select any rule and select the Advanced view check box. From the Value type drop-down box, select the required option. If Template is selected, the risk score is updated according to the specified condition in the rule. If Script is selected, you can either add or update the existing script. The system property sn_sec_cmn.risk_score_changes_add_worknotes helps populate the Work notes section. Starting with v25.0.3 of Application Vulnerability Response, the system property sn_sec_cmn.risk_score_changes_add_worknotes is inactive by default. If you enable it, only then you can see all the changes related to the risk score of an application vulnerable item in the Work notes section. Additionally, the work notes are updated only if there’s a change in the risk score.
The base system Advanced Risk Calculator calculator contains a specialized vulnerability calculator rule called Default Risk Rule. It calculates Risk Score based on multiple values:
  • Vulnerability severity
  • OWASP top 10
  • SANS top 25
You can customize the criteria for the default risk rule. For more information, see Define fields and weights for the risk rule.

You can adjust the values to use in the Default Risk Rule and how much weight to give each of these values. Weights are used to adjust how much each element counts when setting the Risk Score.

Each rule has an Order setting however, the first one to match the conditions updates the Risk score field in the AVI. Non-scripted calculator rules typically create less of a performance impact than scripted calculator rules.

Vulnerability Risk Score Weights

All vulnerabilities are assigned a risk score and rating based on factors such as severity, criticality, exploit information, and so on. The business rule Update Risk Rating from Risk Score on the vulnerable item table is responsible for calculating the risk rating. Whenever the risk score changes, the risk rating is calculated and populated on the vulnerable items. Prior to version 17.1 of the Vulnerability Response (VR) application, the following risk ratings were provided as part of script include VulnerabilityUtils, which were hard-coded.
Value (Risk Rating)Weight (Risk Score)
1 90–100
2 70–89
3 40–69
4 1–39
5 0
Starting with the 18.0 version of Vulnerability Response,
  • The risk rating types are shipped in the base table as avr_risk_rating. These types are passed as part of the business rule on each table where the risk rating is calculated.
  • The script is modified so that you can query the entries in the Risk Score Weights table values for risk rating calculation.
  • Add additional entries for an existing type or create a new type. When you create a new type, ensure that you add the labels for the new risk rating, and also modify the related scripts and business rules. You must also add a new style for the new risk score.
  • Modify the script to query the records in the base table.
You can access the Risk Score Weights table by entering sn_sec_cmn_risk_score_weight in the filter navigator.
In addition, the risk score is automatically recalculated in the following scenarios:
  • When a configuration item (CI) changes from non-internet facing to internet facing.
  • When the associated Common Vulnerabilities and Exposures (CVEs) or third-party entries (TPEs) on the vulnerability items (VIs) are linked to a CVE Known Exploit Vulnerability (KEV).