Does Qualys use CVSS version 3.0 or 3.1 for scoring vulnerabilities ?
A Qualys QID might describe 10 CVE-IDs. How is the "Qualys CVSS" score calculated? Average, Max, etc....? For calculating overall risk per host, is there a way to find each vulnerability/CVE-ID and associated CVSS score? Or only each QID (aggregate/rollup of multiple CVE-IDs)?
QID=100387 Microsoft Internet Explorer Security Update for September 2019
CVSS Base: 7.6
CVSS Temporal: 5.6
CVSS3 Base: 5.6
CVSS3 Temporal: 4.9
The above "Qualys defined" vulnerability is actually a combination of 8 vulnerabilities; (note the first 4 have CVSS v3.1 scores, and the last 4 have CVSS v3.0 scores) Per my understanding, Qualys has chosen to summarize them as one vulnerability, where a Qualys scan hides which of the 8x vulnerabilities are actually present, only providing knowledge of whether at least one is present.
What is the formula which Qualys uses to aggregate the risk of all 8 standard vulns below into one?
Would it be possible to extend this aggregation logic to summarize all risk on a host with a single metric, or likewise all risk across a Qualys subscription?
CVE-2019-1208 CVSS2: 7.6 / CVSS3.1: 7.5
CVE-2019-1220 CVSS2: 4.3 / CVSS3.1: 4.3
CVE-2019-1221 CVSS2: 7.6 / CVSS3.1: 7.5
CVE-2019-1236 CVSS2: 7.6 / CVSS3.1: 7.5
CVE-2019-11091 CVSS2: 4.7 / CVSS3.0: 5.6
CVE-2018-12126 CVSS2: 4.7 / CVSS3.0: 5.6
CVE-2018-12127 CVSS2: 6.9 / CVSS3.0: 5.6
CVE-2018-12130 CVSS2: 4.7 / CVSS3.0: 5.6
Do we have any approx timeline to move to CVSSv3.1 ?
Sumalya, I have posted an internal request for information to answer your question above. For an updated status, I recommend engaging your technical account manager (TAM). I will provide an update when the information becomes available.
How does the CVSS score breakdown with the Qualys Severity rating? Or does it?
Here’s the relationship to Qualys severity: Qualys Severity Score vs CVSS Scoring
No one addressed Jake VanMast's question. He makes a valid point with the way Qualys rolls up CVE's to a QID. I would like to know the answer from Qualys on this.
Rusty, Jake's question was addressed https://discussions.qualys.com/thread/20136-cvss-version#comment-48780
I believe Jake VanMast is asking how to separate out the total risk score from how Qualys combines QID's of different CVSS scoring:
I'm trying to understand but I guess I'm just not getting the ask here.
Is there any way you could prepare a visual representation of your expectation for further examination?
I guess to summarize and I am sorry if I was not clear. Since Qualys combines vulnerabilities (CVE's) into one QID, how can a team break that combination of vulnerabilities out to get a true risk score? For example, if Qualys combines the below CVE's into QID100387, how does a team get the true risk score? Qualys counts this as one QID whereas other tools count each individual CVE as a risk.
..OK, I get it now. DUH, I get stuck in a thought and I need to be shaken loose at times, thanks for the shake!
The majority of our customers are looking for ways to "group" detections, exclude detections, suppress detections, all in an effort to change the perception of the risk landscape by lessening the total number of detections. Can you even begin to imagine the outrage from our customers if we changed a single QID into one QID per CVE-ID?
This is one of those 50/50 feature feedback situations, and here's why: you can please some of the people some of the time, but not all of the people all of the time. Below is an excerpt from my feature request responses. You may have read this once or twice in an email from me sent in response to a feature request. For those who haven't had the "pleasure", I offer the following:
As Qualys strives to meet the needs of its customers, it must be understood that these requests are driven by the needs of many customers, the use cases they address and are evaluated against our product roadmap. A Feature Request is any suggestion for an enhancement to Qualys software. Feature Requests are not a contractual obligation for Qualys to develop the suggestion or to develop the request as submitted (use case vs implementation). Important Things to Know About Our Feature Request ProcessQualys strives to continually improve its products, including receiving feedback and feature requests from our many customers.Requests that have broad applicability, solve multiple use cases, and are strategic to the company are given higher priority.Requests with available workarounds are not operationally impacting, or visual/styling improvements will have lower priority.Feature request development schedules may change at company discretion depending on new requests, other and changing priorities, engineering prerequisites, updated architecture requirements, or other reasons.
As Qualys strives to meet the needs of its customers, it must be understood that these requests are driven by the needs of many customers, the use cases they address and are evaluated against our product roadmap. A Feature Request is any suggestion for an enhancement to Qualys software. Feature Requests are not a contractual obligation for Qualys to develop the suggestion or to develop the request as submitted (use case vs implementation).
Important Things to Know About Our Feature Request Process
Most products that provide detections by CVE-ID, don't actually have detection signatures to validate the detection because they are not diving any deeper than package information which equates to False Positives.
Qualys detections to enumerate all CVE-IDs for a given QID, and we provide and support API and third-party integrations for customers with more mature vulnerability management programs to adapt our data into their custom requirements, and cross-leveraging feeds like NVD - Data Feeds and NVD - Calculator Product Integration to enrich/enhance their programs. Most other products APIs are restrictive and less straight-forward, requiring multiple calls to compile the information available in a single call to Qualys API to produce a complete, customized, detection record.
Before I get into the more detailed stuff, I want to thank you for your feedback and let you know we've heard you and the content has been entered into our backlog, it has not been discarded.
Shall we look a little deeper at the volume of information QID 100387 provides in the UI and the API, and how these data elements are available for extract and cross-reference in third-party applications:
curl -u "UserID:Password" -H "X-Requested-With: cURL QID 100387" "https://qualysapi.qg2.apps.qualys.com/api/2.0/fo/knowledge_base/vuln/?action=list&echo_request=1&details=All&ids=100387" > C:\XXXXXX\XXXXXX\Downloads\100387QID.csv
If you have any questions or would like to learn more about API integration capabilities, please contact your TAM directly to request more information.
Retrieving data ...