Statement of CVSS Implementation

The SCAP application updates CVSS scores for rules from the NVD website daily and saves the updates in the Security Operations Center (SOC) maintained by the service.

Once the scan is complete, users can view CVSS information in the SCAP compliance reports.

The CVSS base scores for rules are included in the SCAP Policy XML Report. This report is an XCCDF result document which adheres to the XCCDF specification. The Policy XML Report constrains the portion of the XCCDF specification dealing with XCCDF test results. The CVSS base score for each rule is reported in the <impact-metric> element, a child of the <Rule> element.

The special patches for SCAP scans are reported in the SCAP Individual Host Report when evidence is requested in the report setup. The special rule titled "Security Patches Up-To-Date" lists all patches defined in the SCAP content for the SCAP policy. For each CVE tested, the CVSS base score and the attack vector are displayed.

CVSS base and temporal scores are also available in the user's account for all vulnerabilities in the Knowledgebase that have a CVE. Once the user is logged into the service, the Knowledgebase displays all the vulnerability information including CVE IDs, vendor specific references, and CVSS base and temporal scores. CVSS scores are also displayed in detailed vulnerability scan reports and the Host Information page (accessed via the Asset Search, Asset Groups and Host Assets sections).