/
CVSS & Security Dashboard

CVSS & Security Dashboard

How CVSS Scores are used in the Dashboard

Each test has a CVSS score. Their score is determined statically, meaning it is predefined before the test runs and will always be the same. The potential impact and the method to attack or exploit a vulnerability will determine the CVSS metrics chosen. These will likely change for each subtest, even if slightly. For reference, you can calculate the CVSS using this CVSS 4.0 calculator. https://www.first.org/cvss/calculator/4.0 .

 

When running the workflow, it will test all categories. For each category, we use a composition of the subtests to come up with the resulting CVSS score. The highest non-passing test’s score will be used as the CVSS for the category. It can be thought of as this formula.

 

pf = 0 (Pass) or 1 (Fail)

CVSS1 = CVSSsubtest(1) * pfsubtest(1)

CVSS2 = CVSSsubtest(2) * pfsubtest(2)

CVSSi = CVSSsubtest(i) * pfsubtest(i)

i

CVSSsubtest(i)

pfsubtest(i)

CVSSi

i

CVSSsubtest(i)

pfsubtest(i)

CVSSi

1

3.5

0

0

2

5.8

1

5.8

3

9.4

0

0

4

7.9

1

7.9

And we take the max of the subtests:

CVSScategory = max(CVSS1, CVSS2, ⋯, CVSSi)

 

Here is an example:

CVSScategory = max (0, 5.8, 0, 7.9) = 7.9

The displayed CVSS for the test category will be 7.9.