1. Access the Administration module.
2. Select Risk Score from the Customizations option on the menu.
The system displays a screen showing the default formula and an editing area where it can be customized (see figure below).
3. To customize the formula, you can select one of the variables from the Variables field. The variable selected will appear in the editing area below the field and can then be combined with the operators and functions available to create the new formula.
Note: Formulas can be comprised of one or more lines separated by semicolons (;). The value returned will be calculated according to the result of the last line executed.
The most common syntax is shown below, with [x] as optional:
Line 1: [variable A] = <expression 1>;
Line 2: [variable B] = <expression 2>;
…
Line N: [variable Z] = <expression N>;
For further details on the syntax of these formulas, access the link below:
http://www.springframework.net/doc-latest/reference/html/expressions.html
The tables below list the variables, operators, and functions available and their descriptions:
|
Variable |
Description |
|
AssetCriticality |
Criticality set in the Organization module for the asset in which the vulnerability was identified. This value ranges from 0.00 to 100.00. |
|
AssetRelevance |
Relevance set in the Organization module for the asset in which the vulnerability was identified. This value ranges from 1 (Very Low) to 5 (Very High). |
|
CvssScore |
CVSS indicator for the vulnerability. |
|
VulnerabilityLevel |
Severity level of the vulnerability, which ranges from 1 (Very Low) to 5 (Very High). |
|
VulnerabilityType |
Type of vulnerability, which may be assume one of the following values: VulnType.Information, VulnType.Potential, VulnType.Confirmed. |
|
Relational Operators |
Description |
|
== |
Returns true if two elements are equal and false if otherwise. For example: “#result = #var == 1” |
|
!= |
Returns true if two elements are different and false if otherwise. For example: “#result = #var != 1” |
|
< |
Returns true if the element on the left is less than or equal to the element on the right. For example: “#result = #var < 1” |
|
<= |
Returns true if the element on the left is less than or equal to the element on the right. For example: “#result = #var < = 1” |
|
> |
Returns true if the element on the left is greater than the element on the right. For example: “#result = #var > 1” |
|
>= |
Returns true if the element on the left is greater than or equal to the element on the right. For example: “#result = #var > = 1” |
|
in |
Returns true if the element is contained in the array. For example: “#result = 3 in {1,2,3,4}” |
|
between |
Returns true if the element is contained in the interval specified. For example: “#result = 3 between {1,4}” |
|
Logical Operators |
Description |
|
or |
Returns true if a condition is met. For example: “#result = (#var == 1) or (#var == 2)” |
|
and |
Returns true if all conditions are met. For example: “#result = (#var != 1) and (#var != 2)” |
|
! |
Negates the Boolean result of an expression. If the result is true it returns false. If false it returns true. For example: “#result = !(2 == 1)” |
|
Mathematical Operators |
Description |
|
+ |
Addition. For example: “#result = 2 + 3” Returns: 5 |
|
- |
Subtraction. For example: “#result = 2 – 3” Returns: -1 |
|
* |
Multiplication. For example: “#result = 2 * 3” Returns: 6 |
|
/ |
Division. For example: “#result = 2.0 / 3.0” Returns: 0.66666 |
|
% |
Modulus. For example: “#result = 3.0 % 2.0” Returns: 1 |
|
^ |
Exponent. For example: “result = 2 ^ 3” Returns: 8 |
|
Attribution and Variables |
Description |
|
= |
Used for attributions to a variable. For example: “#var = 5” |
|
#name |
Declares the name of a variable. For example: “#var = ‘hello’” |
|
Conditional Operator |
Description |
|
<Boolean expression> ? <if true then…? : <if false then…> |
Creates a condition to evaluate before executing an expression. For example: #var > 5 ? ‘High’ : ‘Low’ |
|
Functions and Mathematical Constants |
Description |
|
E |
Returns established by the Math class of the .NET Framework 4.5. See: http://msdn.microsoft.com/en-us/library/system.math.aspx. |
|
PI | |
|
Abs(double value) | |
|
Acos(double d) | |
|
Asin(double d) | |
|
Atan(double d) | |
|
Atan2(double y, double x) | |
|
BigMul(int a, int b) | |
|
Ceiling(double a) | |
|
Cos(double d) | |
|
Cosh(double value) | |
|
Exp(double d) | |
|
Floor(double d) | |
|
IEEERemainder(double x, double y) | |
|
Log(double d) | |
|
Log(double a, double newBase) | |
|
Log10(double d) | |
|
Max(double val1, double val2) | |
|
Min(double val1, double val2) | |
|
Pow(double x, double y) | |
|
Round(double a) | |
|
Round(double value, int digits) | |
|
Sign(double value) | |
|
Sin(double a) | |
|
Sinh(double value) | |
|
Sqrt(double d) | |
|
Tan(double a) | |
|
Tanh(double value) | |
|
Truncate(double d) |
|
Other Functions |
Description |
|
Lookup(double value, double search, double result, …, default) |
Function to query within a collection of items. For example: Lookup(VulnerabilityType, VulnerabilityType.Gathered, 1, VulnerabilityType.Potential, 2, VulnerabilityType.Confirmed, 3, 0) Returns 1, 2, 3, or 0 depending on the Vulnerability.Type variable. If no possible VulnerabilityType values are assumed it returns 0. |
4. Click Validate Formula for the system to check if the formula is valid. If you want to restore the default formula, click Restore Default Formula.
The system displays a success message.
5. When finished, click Apply Settings to apply changes made. The changes will go into effect immediately when assets are next processed in risk projects.
The system displays a success message.