-
Notifications
You must be signed in to change notification settings - Fork 2
Methodology
The CWE Calculator uses the following methodology to compute scores:
- If normalization is enabled (which it is, by default), the calculator checks if the requested CWE should be mapped to another CWE. If so, that CWE is selected for the rest of the analysis, otherwise the original CWE remains selected.
- For each CVE record in the cached data that are mapped to the requested CWE:
- Apply the environmental metrics to the base CVSS, if supplied.
- Obtain the CVSS score for the CVE.
- Compute the distribution of the CVSS scores for the selected CVEs: min, mean, max, and standard deviation.
The CWE Top
25
project developed a process to "re-map" some CWEs to higher level or more concrete CWEs.
By default, the CWE Calculator uses the same normalization process (you can view the
mapping in data/normalized.csv
). To supply your own normalization, create a CSV file containing two columns: the source CWE number and the CWE number it should be mapped to. Here's an example:
7,755
14,Other
15,668
20,20
22,22
23,22
24,23
25,23
26,22
27,23
...snip...
The first row indicates that CWE-7: J2EE Misconfiguration: Missing Custom Error Page is re-mapped to CWE-755: Improper Handling of Exceptional Conditions, which is a broader entry that is likely to match more CVEs.
The calculator (in both command line and web service form) allows you to specify your own re-mapping data. See the tools' respective documentation for more details.
The calculator lets you specify custom environmental metrics that will modify the CVSS base scores for the selected CVEs. For example, your environment may deem that confidentiality is a very important requirement while availability is not important. You can set the Confidentiality Impact to "High" and the "Availability" impact to "Low", which will result in higher CVSS scores for CVEs that affect confidentiality (such as an information leak vulnerability) and lower CVSS scores for CVEs that affect availability (such as denial-of-service vulnerability).