API Support for CVSS v3

CVSS v3 scores are now returned in the “List and Show Vulnerabilities” APIs. Also CVSS v3 fields can be searched with the “Search Vulnerabilities” API and build a Risk Meter. Of course I feel that the Kenna Risk Score is a better number to use to remediate vulnerabilities, but some people have contractual requirements to report based of CVSS v3 scores.

What Scores Are Being Returned?

The following CVSS v3 scores are returned:

• exploit_subscore – Numerical score reflects the ease and technical means by which the vulnerability can be exploited. The Exploitability sub-score equation is derived from the Base Exploitability metrics.
• impact_subscore – Numerical score reflects the direct consequence of a successful exploit, and represents the consequence to the thing that suffers the impact. The Impact subscore equation is derived from the Base Impact metrics.
• temporal_subscore – Numerical score reflects the characteristics of a vulnerability that may change over time but not across user environments.
• score – Numerical score indicates the severity of a vulnerability relative to other vulnerabilities.  This is not the sum of the above subscores, but a calculation.

All the scores are floating point numbers and returned in “Show Vulnerabilities” and “List Vulnerabilities” APIs wrapped in a cvss_v3 object. You can understand the scoring equations from the NVD CVSSv3 calculator.

The same subscores above are being returned for CVSS v2 and are also returned “Show Vulnerabilities” and “List Vulnerabilities” in the cvss_v2 object. The scoring equations are located at NVD CVSSv2 calculator.

Searching Vulnerabilities

Searching for vulnerabilities with CVSS v3 is done via the q query parameter with the “Search Vulnerabilities” API which uses terms from the Kenna Search Terms help page. The Kenna Search Terms webpage has been updated to reflect the CVSS v3 and CVSS v2 changes. To find the CVSS search terms, do a cvss_v find on the Kenna Search Terms webpage. These search terms can also be used for a vulnerability export and creating a risk meter.

Let’s look at some examples:

1. Find vulnerabilities with CVSS v3 scores greater than 8:  q=cvss_v3_score:>8.
2. Find vulnerabilities with CVSS v3 exploit scores greater than 7.5: q=cvss_v3_exploit_subscore:>7.5.
3. Find vulnerabilities with CVSS scores greater than 7.  There are multiple techniques.
   1. Do two separate queries: q=cvss_v3_score:>7,  q=cvss_v2_score:>7. There could be duplicates, which the client code would have to resolve.
   2. Do three queries:
      1. cvss_v3_score:>7 AND cvss_v2_score:>7
      2. q=cvss_v2_score:>8 AND -_exists_:cvss_v3_score
      3. q=cvss_v3_score:>8 AND -_exists_:cvss_v2_score
      4. And merge the search results from the three queries.  There should be no duplications.  However since CVSS v3 and CVSS v2 scores are calculated differently, so a CVSS v3 score of 7 is the not same as a CVSS v2 score of 7.
   3. Not Supported today: cvss_v3_score:>7 OR cvss_v2_score:>7
4. Find vulnerabilities with CVSS v3 scores greater than 6.4 and have Windows as the OS: q=cvss_v3_score:>6.4 AND os:Windows.
5. Find vulnerabilities with CVSS v2 scores greater than 8 without CVSS v3 scores: q=cvss_v2_score:>8 AND -_exists_:cvss_v3_score.

By the way, if there exists code that uses cvss_serverity and cvss_threat in vulnerability searches, it will still work. The field cvss_serverity is a rounded cvss_v2_score and cvss_threat is a rounded cvss_v2_temporal_subscore. These deprecated search terms should be replaced with the new search terms.

Creating Risk Meters

Risk meters using CVSS v3 fields can be created. Similar to “Search Vulnerabilities”, “Create Asset Group and Risk Meter” uses the q query parameter in the same way. Therefore the above q query parameter examples can used.

But there is a problem, unfortunately a risk meter cannot be created that is based on CVSS scores (both CVSS v3 and CVSS v2). The approaches mentioned in #3 above will not work for risk meters. What to do, what to do?

Create two risk meters, one CVSS v3 and the other CVSS v2. Of course there would be some overlap;  but with this solution, CVSS score calculations are separated into unique risk meters.

And just like searching vulnerabilities, risk meters created with cvss_serverity and cvss_threat will still work.

Conclusion

Now you know about the new CVSS v3 and CVSS v2 search terms and how to use them for searching vulnerabilities and creating risk meters.

Until next time,

Rick Ehrhart

API Evangelist

References

• CVSS v2 Calculator
• CVSS v3 Calculator
• CVSS User Guide
• CVSS Base Score Explained
• CVSS v2 versus CVSS v3
• CVSS Scoring System Data Representation
• How to create a CISA Risk Meter