You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've encountered an issue with the Tenable report parser where the Severity Level of vulnerabilities is incorrectly mapped based on their CVSS scores. Specifically, the parser currently assigns severity levels by strictly adhering to the CVSS score, which does not always align with the severity level provided by Tenable.
In our case, a vulnerability that Tenable classified as 'Medium' was marked as 'High' in DefectDojo. We haven't manually altered the severity levels in Tenable, but this discrepancy could potentially affect the risk assessment process. I believe this might be a common issue for others who rely on Tenable's severity levels for subsequent scans and risk evaluations.
Could the team consider enhancing the parser to accommodate the original severity levels as specified in Tenable reports? This adjustment would help in maintaining consistency between the reported and actual risk levels, providing more accurate vulnerability management.
Thank you for looking into this!
Steps to reproduce
Steps to reproduce the behavior:
Just upload report with medium severiry level issue that have CVSS score 7.8
Expected behavior
Getting severity level from risk_factor parameter in xml report
Deployment method(select with an X)
Docker Compose
Kubernetes
GoDojo
Environment information
DefectDojo version (see footer) or commit message: v. 2.32.3 ( release mode )
First of all Risk Factor is not the same term as Severity https://docs.tenable.com/nessus/Content/RiskMetrics.htm .
But apart from that: CVSS score is some universal grading system for vulnerabilities, while Tenable or other tools might have some individual methods of calculating serverity, risk factors etc.
DefectDojo need to use something that is present in the highest number of tools, because you can import vulnerabilites from different systems and you cannot force all of them to calculate risk factor in the way Tenable does it or use some proprietary algorithm of other producent.
Bug description
I've encountered an issue with the Tenable report parser where the Severity Level of vulnerabilities is incorrectly mapped based on their CVSS scores. Specifically, the parser currently assigns severity levels by strictly adhering to the CVSS score, which does not always align with the severity level provided by Tenable.
For reference, you can see the relevant code here:
https://github.com/DefectDojo/django-DefectDojo/blob/c4ea89b82ac4f6bb25f298b4acda540ab9af1518/dojo/tools/tenable/xml_format.py#L30C1-L43C24
In our case, a vulnerability that Tenable classified as 'Medium' was marked as 'High' in DefectDojo. We haven't manually altered the severity levels in Tenable, but this discrepancy could potentially affect the risk assessment process. I believe this might be a common issue for others who rely on Tenable's severity levels for subsequent scans and risk evaluations.
Could the team consider enhancing the parser to accommodate the original severity levels as specified in Tenable reports? This adjustment would help in maintaining consistency between the reported and actual risk levels, providing more accurate vulnerability management.
Thank you for looking into this!
Steps to reproduce
Steps to reproduce the behavior:
Just upload report with medium severiry level issue that have CVSS score 7.8
Expected behavior
Getting severity level from risk_factor parameter in xml report
Deployment method (select with an
X
)Environment information
sample-scan.nessus.zip
The text was updated successfully, but these errors were encountered: