CIS benchmarks don't really have a High, Medium, Low vulnerability severity context. Their Levels 1, 2 refer to complexity of implementation of a configuration setting, not the severity of the vulnerability to a system that doesn't implement the setting in question. Our early cis-to-inspec stub-out code inadvertantly mapped these levels to medium (0.5) and high (0.7).
This branch/PR corrects this by setting all impacts to 0.5 and severity tag to medium. (just "down the middle / even for all")
CIS benchmarks don't really have a High, Medium, Low vulnerability severity context. Their Levels 1, 2 refer to complexity of implementation of a configuration setting, not the severity of the vulnerability to a system that doesn't implement the setting in question. Our early cis-to-inspec stub-out code inadvertantly mapped these levels to medium (0.5) and high (0.7).
This branch/PR corrects this by setting all impacts to 0.5 and severity tag to medium. (just "down the middle / even for all")