CVSS Scoring

You can select how results are calculated according to common vulnerability scoring system (CVSS) . The default setting is Auto. You can change the setting so that the vulnerability count for applications is based on CVSS 2, CVSS 3, CVSS 4 or Auto. Here's how:

  1. From the Shortcuts, select Account settings

  2. Under Bill of Materials > CVSS scoring, select the CVSS version for CVSS related visualizations.

Note that CVSS 3 will display both CVSS 3.0 and 3.1 scores.

When you change the CVSS version:

  • Any user can still toggle between CVSS 2, 3, 4 and Auto on the Vulnerability analysis tab.

  • All scores are visible in the detailed view of vulnerability of a component, although only one set of scores is applied to the final vulnerability count.

  • CVSS version and CVSS fallback version can also be set at Group level. There is also an option to use account level settings, which is the default.

Latest CVSS fallback version

You can select the CVSS version to be used when Auto is selected.

Follow these steps:

  1. From the Shortcuts, select Account settings

  2. Under Bill of Materials > CVSS scoring, select the CVSS version under Latest CVSS missing score fallback version.

  3. If you select CVSS 3, CVSS 4 versions will not be included in Auto CVSS scoring.