Initial commit
This commit is contained in:
Zhongwei Li
210
skills/devsecops/container-grype/references/cvss_guide.md
Normal file
210
skills/devsecops/container-grype/references/cvss_guide.md
Normal file
@@ -0,0 +1,210 @@
|
||||
# CVSS Severity Rating Guide
|
||||
|
||||
Common Vulnerability Scoring System (CVSS) is a standardized framework for rating vulnerability severity.
|
||||
|
||||
## Table of Contents
|
||||
- [CVSS Score Ranges](#cvss-score-ranges)
|
||||
- [Severity Ratings](#severity-ratings)
|
||||
- [CVSS Metrics](#cvss-metrics)
|
||||
- [Interpreting Scores](#interpreting-scores)
|
||||
- [Remediation SLAs](#remediation-slas)
|
||||
|
||||
## CVSS Score Ranges
|
||||
|
||||
| CVSS Score | Severity Rating | Description |
|
||||
|------------|----------------|-------------|
|
||||
| 0.0 | None | No vulnerability |
|
||||
| 0.1 - 3.9 | Low | Minimal security impact |
|
||||
| 4.0 - 6.9 | Medium | Moderate security impact |
|
||||
| 7.0 - 8.9 | High | Significant security impact |
|
||||
| 9.0 - 10.0 | Critical | Severe security impact |
|
||||
|
||||
## Severity Ratings
|
||||
|
||||
### Critical (9.0 - 10.0)
|
||||
|
||||
**Characteristics**:
|
||||
- Trivial to exploit
|
||||
- No user interaction required
|
||||
- Remote code execution or complete system compromise
|
||||
- Affects default configurations
|
||||
|
||||
**Examples**:
|
||||
- Unauthenticated remote code execution
|
||||
- Critical SQL injection allowing full database access
|
||||
- Authentication bypass in critical services
|
||||
|
||||
**Action**: Remediate immediately (within 24-48 hours)
|
||||
|
||||
### High (7.0 - 8.9)
|
||||
|
||||
**Characteristics**:
|
||||
- Easy to exploit with moderate skill
|
||||
- May require user interaction or specific conditions
|
||||
- Significant data exposure or privilege escalation
|
||||
- Affects common configurations
|
||||
|
||||
**Examples**:
|
||||
- Authenticated remote code execution
|
||||
- Cross-site scripting (XSS) in privileged contexts
|
||||
- Privilege escalation vulnerabilities
|
||||
|
||||
**Action**: Remediate within 7 days
|
||||
|
||||
### Medium (4.0 - 6.9)
|
||||
|
||||
**Characteristics**:
|
||||
- Requires specific conditions or elevated privileges
|
||||
- Limited impact or scope
|
||||
- May require local access or user interaction
|
||||
|
||||
**Examples**:
|
||||
- Information disclosure of non-sensitive data
|
||||
- Denial of service with mitigating factors
|
||||
- Cross-site request forgery (CSRF)
|
||||
|
||||
**Action**: Remediate within 30 days
|
||||
|
||||
### Low (0.1 - 3.9)
|
||||
|
||||
**Characteristics**:
|
||||
- Difficult to exploit
|
||||
- Minimal security impact
|
||||
- Requires significant user interaction or unlikely conditions
|
||||
|
||||
**Examples**:
|
||||
- Information leakage of minimal data
|
||||
- Low-impact denial of service
|
||||
- Security misconfigurations with limited exposure
|
||||
|
||||
**Action**: Remediate within 90 days or next maintenance cycle
|
||||
|
||||
## CVSS Metrics
|
||||
|
||||
CVSS v3.1 scores are calculated from three metric groups:
|
||||
|
||||
### Base Metrics (Primary Factors)
|
||||
|
||||
**Attack Vector (AV)**:
|
||||
- Network (N): Remotely exploitable
|
||||
- Adjacent (A): Requires local network access
|
||||
- Local (L): Requires local system access
|
||||
- Physical (P): Requires physical access
|
||||
|
||||
**Attack Complexity (AC)**:
|
||||
- Low (L): No specialized conditions required
|
||||
- High (H): Requires specific conditions or expert knowledge
|
||||
|
||||
**Privileges Required (PR)**:
|
||||
- None (N): No authentication needed
|
||||
- Low (L): Basic user privileges required
|
||||
- High (H): Administrator privileges required
|
||||
|
||||
**User Interaction (UI)**:
|
||||
- None (N): No user interaction required
|
||||
- Required (R): Requires user action (e.g., clicking a link)
|
||||
|
||||
**Scope (S)**:
|
||||
- Unchanged (U): Vulnerability affects only the vulnerable component
|
||||
- Changed (C): Vulnerability affects resources beyond the vulnerable component
|
||||
|
||||
**Impact Metrics** (Confidentiality, Integrity, Availability):
|
||||
- None (N): No impact
|
||||
- Low (L): Limited impact
|
||||
- High (H): Total or serious impact
|
||||
|
||||
### Temporal Metrics (Optional)
|
||||
|
||||
Time-dependent factors:
|
||||
- Exploit Code Maturity
|
||||
- Remediation Level
|
||||
- Report Confidence
|
||||
|
||||
### Environmental Metrics (Optional)
|
||||
|
||||
Organization-specific factors:
|
||||
- Modified Base Metrics
|
||||
- Confidentiality/Integrity/Availability Requirements
|
||||
|
||||
## Interpreting Scores
|
||||
|
||||
### Context Matters
|
||||
|
||||
CVSS scores should be interpreted in context:
|
||||
|
||||
**High-Value Systems**: Escalate severity for:
|
||||
- Production systems
|
||||
- Customer-facing applications
|
||||
- Systems handling PII or financial data
|
||||
- Critical infrastructure
|
||||
|
||||
**Low-Value Systems**: May de-prioritize for:
|
||||
- Development/test environments
|
||||
- Internal tools with limited access
|
||||
- Deprecated systems scheduled for decommission
|
||||
|
||||
### Complementary Metrics
|
||||
|
||||
Consider alongside CVSS:
|
||||
|
||||
**EPSS (Exploit Prediction Scoring System)**:
|
||||
- Probability (0-100%) that a vulnerability will be exploited in the wild
|
||||
- High EPSS + High CVSS = Urgent remediation
|
||||
|
||||
**CISA KEV (Known Exploited Vulnerabilities)**:
|
||||
- Active exploitation confirmed in the wild
|
||||
- KEV presence overrides CVSS - remediate immediately
|
||||
|
||||
**Reachability**:
|
||||
- Is the vulnerable code path actually executed?
|
||||
- Is the vulnerable dependency directly or transitively included?
|
||||
|
||||
## Remediation SLAs
|
||||
|
||||
### Industry Standard SLA Examples
|
||||
|
||||
| Severity | Timeframe | Priority |
|
||||
|----------|-----------|----------|
|
||||
| Critical | 24-48 hours | P0 - Drop everything |
|
||||
| High | 7 days | P1 - Next sprint |
|
||||
| Medium | 30 days | P2 - Planned work |
|
||||
| Low | 90 days | P3 - Maintenance cycle |
|
||||
|
||||
### Adjusted for Exploitability
|
||||
|
||||
**If CISA KEV or EPSS > 50%**:
|
||||
- Reduce timeframe by 50%
|
||||
- Example: High (7 days) → 3-4 days
|
||||
|
||||
**If proof-of-concept exists**:
|
||||
- Treat High as Critical
|
||||
- Treat Medium as High
|
||||
|
||||
**If actively exploited**:
|
||||
- All severities become Critical (immediate remediation)
|
||||
|
||||
## False Positives and Suppressions
|
||||
|
||||
Not all reported vulnerabilities require immediate action:
|
||||
|
||||
### Valid Suppression Reasons
|
||||
|
||||
- **Not Reachable**: Vulnerable code path not executed
|
||||
- **Mitigated**: Compensating controls in place (WAF, network segmentation)
|
||||
- **Not Affected**: Version mismatch or platform-specific vulnerability
|
||||
- **Risk Accepted**: Business decision with documented justification
|
||||
|
||||
### Documentation Requirements
|
||||
|
||||
For all suppressions:
|
||||
1. CVE ID and affected package
|
||||
2. Detailed justification
|
||||
3. Approver and approval date
|
||||
4. Review/expiration date (quarterly recommended)
|
||||
5. Compensating controls if applicable
|
||||
|
||||
## References
|
||||
|
||||
- [CVSS v3.1 Specification](https://www.first.org/cvss/specification-document)
|
||||
- [CVSS Calculator](https://www.first.org/cvss/calculator/3.1)
|
||||
- [NVD CVSS Severity Distribution](https://nvd.nist.gov/vuln/severity-distribution)
|
||||
Reference in New Issue
Block a user