Security Policies
The threat level (risk) rankings are based on the Common Vulnerability Scoring System (CVSS) values assigned within each finding from the Common Vulnerability Enumeration (CVE).
CVSS scoring is commonly comprised of three elements:
Base | The intrinsic and fundamental characteristics of a vulnerability that are constant over time and in user environments. |
Temporal | Characteristics of a vulnerability that change over time but not among user environments |
Environmental | Characteristics of a vulnerability that are relevant and unique to a particular user's environment. |
CVSS scores reported in Sonatype data will not include specifics on your Temporal or Environmental factors in the default reference policy. For details on CVSS scoring visit, https://www.first.org/cvss/user-guide.
CVSS Scoring
Policy | Threat | Categories | Detection |
|---|---|---|---|
10 | All | Any system may be compromised when such a vulnerability present
| |
10 | All | Generally exploitable when on the CLASSPATH of the running executable
| |
9 | All | Generally exploitable when on the CLASSPATH of the running executable
| |
7 | All | Generally exploitable through a specific set of component functionality or misconfiguration
| |
3 | All | Low risk of exploitation however multiple low issues may be chained leading to more severe exploits
|
Security Exceptions
The Temporary and Environmental context of your specific use case may adjust the criticality of reported CVSS scores. When making exceptions for components violating security policies consider the following:
Mitigating control has been verified and documented.
Exploit is not applicable in the application context.
The organization is willing to accept the risk of a legacy component.
Malicious components are exploitive by their nature and should never be allowed in your code. Components found to be 'Suspicious' in their Integrity Rating (see Firewall Specific Policies below) should also be avoided until their safety can be verified.
Security issues in this category should never be allowed and immediately addressed.
No exceptions should be made.
Firewall Specific Policies
Firewall Policies are specific to the enforcement of component requests through proxy repositories. This occurs through Firewall's integration with your artifact repository, such as Nexus Repository.
Policy | Threat | Categories | Detection |
|---|---|---|---|
10 | Repository |
| |
9 | Repository |
|