Skip to main content

CVSS Version 4.0 Support for SCA

We have added support for the CVSS 4.0 scoring system, which uses additional metrics to provide better granularity and further refine the scoring methodology. We now show the CVSS 4.0 score for each vulnerability that has such a score. When no CVSS 4.0 score is available, we continue to use the most recent available score from previous scoring systems (3.1 or 2.0).

Notice

This update applies specifically to results returned by the SCA scanner. Results from other scanners (i.e., Container Security) do not yet support CVSS 4.0.

The metrics that are used for calculating the CVSS score are different for each version. Therefore, the metrics shown when you click on View Base Metrics on the Risk page differ according to the version.

image__10_.png
Image_1587__1_.png
image__9_.png

API Responses

Detailed results for SCA vulnerabilities can be returned using the GET /results API. The results for each SCA vulnerability include a vulnerabilitiesDetails object. The attributes returned for this object differ depending on the CVSS version that is used for that vulnerability. You may need to adjust some of your workflows to accommodate the schema of the new type of results.

CVSS 2.0

CVSS 3.1

CVSS 4.0

"vulnerabilityDetails": {         "cvssScore": 2.1,         "cveName": "CVE-2015-3010",         "cweId": "CWE-200",         "cvss": {           "score": 2.1,           "version": 2,           "severity": ["INFO", "NONE", "LOW", "MEDIUM", "HIGH"],           "integrity": ["NONE", "PARTIAL", "COMPLETE"],           "attackVector": ["LOCAL", "ADJACENT NETWORK", "NETWORK"],           "availability": ["NONE", "PARTIAL", "COMPLETE"],           "authentication": ["NONE", "SINGLE", "MULTIPLE"],            "confidentiality": ["NONE", "PARTIAL", "COMPLETE"],            "attackComplexity": ["LOW", "MEDIUM", "HIGH"],            "exploitCodeMaturity": "3.9"         }       }

"vulnerabilityDetails": {         "cvssScore": 5.5,         "cveName": "CVE-2023-50120",         "cweId": "CWE-835",         "cvss": {           "scope": ["CHANGED", "UNCHANGED"],           "score": 5.5,           "version": 3,           "severity": ["INFO", "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"],           "integrity": ["NONE", "LOW", "HIGH"],           "attackVector": ["NETWORK", "ADJACENT", "LOCAL", "PHYSICAL"],           "availability": ["NONE", "LOW", "HIGH"],            "confidentiality":["NONE", "LOW", "HIGH"],            "userInteraction": ["NONE", "REQUIRED"],            "attackComplexity": ["LOW", "HIGH"],            "privilegesRequired": ["NONE", "LOW", "HIGH"], "exploitCodeMaturity": "3.9"         }       }

"vulnerabilityDetails": {         "cvssScore": 4.800000190734863,         "cveName": "CVE-2024-6064",         "cweId": "CWE-416",         "cvss": {           "score": 4.8,           "version": 4,           "severity": ["INFO", "NONE", "LOW", "MEDIUM", "HIGH", "CRITICAL"],           "attackVector": ["NETWORK", "ADJACENT", "LOCAL", "PHYSICAL"],            "userInteraction": ["NONE", "PASSIVE", "REQUIRED"],            "attackComplexity": ["LOW", "HIGH"],            "attackRequirements": ["NONE", "PRESENT"]            "privilegesRequired": ["NONE", "LOW", "HIGH"],            "subsequentSystemIntegrity": ["NONE", "LOW", "HIGH"],            "vulnerableSystemIntegrity": ["NONE", "LOW", "HIGH"],           "subsequentSystemAvailability": ["NONE", "LOW", "HIGH"],            "vulnerableSystemAvailability": ["NONE", "LOW", "HIGH"],            "subsequentSystemConfidentiality": ["NONE", "LOW", "HIGH"],            "vulnerableSystemConfidentiality": ["NONE", "LOW", "HIGH"]         }       }

Examples of vulnerabilitiesDetails object for each CVSS version.

CVSS 2.0

"vulnerabilityDetails": {
  "cvssScore" : 2.0999999046325684,
  "cveName" : "CVE-2015-3010",
  "cweId" : "CWE-200",
  "cvss" : {
    "score" : 2.1,
    "version" : 2,
    "severity" : "Low",
    "integrity" : "NONE",
    "attackVector" : "LOCAL",
    "availability" : "NONE",
    "authentication" : "NONE",
    "confidentiality" : "PARTIAL",
    "attackComplexity" : "LOW",
    "exploitCodeMaturity" : "3.9"
  }
}

CVSS 3.1

"vulnerabilityDetails": {
  "cvssScore" : 7.5,
  "cveName" : "CVE-2024-24265",
  "cweId" : "CWE-401",
  "cvss" : {
    "scope" : "UNCHANGED",
    "score" : 7.5,
    "version" : 3,
    "severity" : "High",
    "integrity" : "NONE",
    "attackVector" : "NETWORK",
    "availability" : "HIGH",
    "confidentiality" : "NONE",
    "userInteraction" : "NONE",
    "attackComplexity" : "LOW",
    "privilegesRequired" : "NONE"
  }
}  

CVSSS 4.0

"vulnerabilityDetails": {
  "cvssScore" : 4.800000190734863,
  "cveName" : "CVE-2024-6064",
  "cweId" : "CWE-416",
  "cvss" : {
    "score" : 4.8,
    "version" : 4,
    "severity" : "Medium",
    "attackVector" : "LOCAL",
    "userInteraction" : "NONE",
    "attackComplexity" : "LOW",
    "attackRequirements" : "NONE",
    "privilegesRequired" : "LOW",
    "subsequentSystemIntegrity" : "NONE",
    "vulnerableSystemIntegrity" : "LOW",
    "subsequentSystemAvailability" : "NONE",
    "vulnerableSystemAvailability" : "LOW",
    "subsequentSystemConfidentiality" : "NONE",
    "vulnerableSystemConfidentiality" : "LOW"
  }
}
In this section: