Skip to content

Methodology

Jump to bottom
Mark E. Haase edited this page Jun 18, 2024 · 6 revisions

Calculator

The CWE Calculator uses the following methodology to compute scores, based on the CWE Top 25 methodology.

  • If normalization is enabled, the calculator checks if the requested CWE should be mapped to another CWE. If so, that CWE is selected for the rest of the analysis, otherwise the original CWE remains selected.
  • For each CVE record in the cached data that are mapped to the requested CWE:
    • If the CVE is unscored, rejected, or has no CWE mapping, remove it from consideration.
    • Apply the environmental metrics, if supplied, to the base CVSS.
    • Obtain the CVSS score for the CVE.
  • Compute the distribution of the CVSS scores for the selected CVEs: min, mean, max, and standard deviation.

Normalization

The CWE Top 25 project developed a process to "re-map" some CWEs to higher level or more concrete CWEs. By default, the CWE Calculator uses the same normalization process (you can view the mapping in data/normalized.csv). To supply your own normalization, create a CSV file containing two columns: the source CWE number and the CWE number it should be mapped to. Here's an example:

7,755
14,Other
15,668
20,20
22,22
23,22
24,23
25,23
26,22
27,23
...snip...

The first row indicates that CWE-7: J2EE Misconfiguration: Missing Custom Error Page is re-mapped to CWE-755: Improper Handling of Exceptional Conditions, which is a broader entry that is likely to match more CVEs.

The calculator (in both command line and web service form) allows you to specify your own re-mapping data. See the tools' respective documentation for more details.

Environmental Metrics

The calculator lets you specify custom environmental metrics that will modify the CVSS base scores for the selected CVEs. For example, your environment may deem that confidentiality is a very important requirement while availability is not important. You can set the Confidentiality Impact to "High" and the "Availability" impact to "Low", which will result in higher CVSS scores for CVEs that affect confidentiality (such as an information leak vulnerability) and lower CVSS scores for CVEs that affect availability (such as denial-of-service vulnerability).

Clone this wiki locally