By default, the Vulnerability Risk Score feature is set up to calculate risk scores for vulnerabilities in RiskVision. You do not need to do anything for the scores to be calculated, other than to ensure vulnerabilities with the required data are present in RiskVision.
When there are CVE mappings to vulnerabilities, data from these CVEs is used to calculate the Vulnerability Risk Factor. If no CVE mappings to the vulnerability exist, then RiskVision will use data that is available directly from the vulnerability instance, if sufficient data is available to calculate the Vulnerability Risk Factor.
The formula that RiskVision uses for the vulnerability risk score is as follows:
Vulnerability Instance Risk Score = Entity Criticality Factor * Vulnerability Risk Factor
For additional background on the Vulnerability Risk Score feature, please refer to the Understanding Vulnerability Details section of the Threat and Vulnerability Manager User Guide.
By default, the Entity Criticality Factor is set to be equal to the entity criticality values in the RiskVision database. If a Low-Medium-High value has not been set, then the entity criticality value will be null. A High entity criticality value usually equates to a numerical value of 10, Medium a 7, and Low a 3. However, the values in your database for some entities may differ from these values.
The Vulnerability Risk Factor can be set to be equal to the Enhanced Score or the CVSS Score. By default, it uses the CVSS v2 score. If you want to override this behavior, set the following property value in the agiliance.properties file:vulnerability.risk.factor = enhanced_score
Note: For the property value change to be recorded in the database, you will need to restart the server.
