In Dependency-Track we have a risk-score. The risk-score depends of the amount and severity of the vulnarabilties evaluated with the CVSS.
The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
Calculation for the risk-score:
public static double inheritedRiskScore(final int critical, final int high, final int medium, final int low, final int unassigned) {
return (double) ((critical * 10) + (high * 5) + (medium * 3) + (low * 1) + (unassigned * 5));
}
Does somebody know more about the risk score? How is the best practice to handle this information.
You need to sign in to view this answers
