Open qmontal opened 5 years ago
Implementation started at #177.
To keep track, my understanding is
risk
the vendors risk level as a string
risk_number
the vendors risk number
risk_score
the CVSS scorerisk_score_name
a string representing the risk based on the CVSS valueCurrently risk_score_name
has been renamed to cvss_severity
and risk_score
is just cvss
. With additional data sources we now also have cvss3
and cvss3_severity
.
cvss
and cvss3
are calculated as the cvss_temporal
or the cvss_base
in that order.
risk
-> risk
risk_number
-> risk_number
risk_score
-> cvss
risk_score_name
-> cvss_severity
@pemontto that is indeed how it should be, thanks for the confirmation!
Would a risk_source be valuable? or is it something that already exists as a field
The thought behind it it if you are using both Nessus and Qualys and want to see the source of the risk value or the risk_number value because both use their own reasoning for the risk. For when you have both scanners scanning the same endpoint finding the same vulnerability but each setting a different risk value.
@elvarb yes, in beta-2.0 we export a scan_source
field which is set to the name of the config section (tenable, nessus, qualys_vm, qualys_was, openvas). We also export a vendor
field that looks like the below for the various sources
tenable -> Tenable
nessus -> Tenable
qualys_vm -> Qualys
qualys_was -> Qualys
openvas -> Greenbone
The vulnerability index of ECS was released on December 2019 with version 1.3, so we will be working on using it as the official Vulnerability Standard on which VulnWhisperer relies. We will be working on the mapping as soon as we get resources to continue with the whole refactoring.
Create a VulnWhisperer Vulnerability Standard template for all scanner results to follow when being stored locally. This will unify all the differences from the scanners into a single structure, which will make VulnWhisperer easier to integrate with new modules and less prone to errors and failures.
This change will mean:
Also, ideally the new standard Logstash config would follow ECS already (#97).
Resources: https://github.com/elastic/ecs/issues/113 https://github.com/DefectDojo/sample-scan-files https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-findings-format.html#securityhub-findings-format-syntax