Severity measure #5965
-
We're a group of students of software engineering, we are using kics for an article about IaC documentation and characteristics of the most popular repos on GitHub. and for that we need to understand how the severity is defined, or how it is measured by the application. Can someone help us understand how and when a vulnerability for instance is defined high medium or low? thanks on advance! sorry about the bad english |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
Hi, Currently KICS is classifying the vulnerabilities as High, Medium, Low and Information. The severity of KICS queries is based on several factors that results from a combination of industry standards (for example, CVSS and CIS Benchmarks,) together with the level of exposure for the vulnerability, which is identified by the expertise of our AppSec research team. Several pillars are considered, by developers and researchers, when defining the severity, such as Discoverability, Damage, Reproducibility, Exploitability, Precision, among others. The context of the source code is always considered, and it has a huge impact on the severity classification: in some use-cases the CVSS score can be low, but when considering it in the scope of the source code, the result is high, because contextual factors diminish the score. Also, there are certain vulnerabilities that does not meet additional conditions, which are not related only with a bad configuration in the source code. All these “real conditions” are taken in consideration, so it would not be reliable to expose a query having a high CVSS score when, in fact, not all the necessary conditions are verified. Regards, |
Beta Was this translation helpful? Give feedback.
Hi,
Currently KICS is classifying the vulnerabilities as High, Medium, Low and Information.
The severity of KICS queries is based on several factors that results from a combination of industry standards (for example, CVSS and CIS Benchmarks,) together with the level of exposure for the vulnerability, which is identified by the expertise of our AppSec research team.
Several pillars are considered, by developers and researchers, when defining the severity, such as Discoverability, Damage, Reproducibility, Exploitability, Precision, among others.
The context of the source code is always considered, and it has a huge impact on the severity classification: in some use-cases the CVSS score can …