Defining the default security risk calculation

Users with the system administrator role can redefine the order of security ranking that Black Duck uses to define the risk score and risk categories of security vulnerabilities. Black Duck uses the following order to calculate risk:

  • If you have not licensed BDSA, the default order is:

    1. NVD v3.x

    2. NVD v2

  • If you have BDSA licensed, the default order is:

    1. BDSA (CVSS v3.x)

    2. NVD (CVSS v3.x)

    3. BDSA (CVSS v2)

    4. NVD (CVSS v2)

As shown above, by default Black Duck defines security risk initially using CVSS v3.x scores. You can modify the order by which Black Duck determines security risk so that CVSS v2 scores are used.

Note the following:

  • Changing the order of the security risk configuration will result in revised security risk calculations for all project version BOMs and may result in new policy violations. These calculations may take a considerable amount of time to complete.

  • The ability to change the security risk ranking is disabled if the security risk configuration has been reconfigured and jobs are running to recalculate security risk. Once the jobs are completed, the security risk ranking can be reconfigured.

  • If a CVE record has a related BDSA record (or vice versa), it cannot be remediated unless that vulnerability record type is prioritized in the Security Risk Ranking below. This is due to the fact that the non-prioritized vulnerability record is not being used as a determinant and is not used to calculate security risk.

To configure the default security risk calculation:

  1. Log in to Black Duck with the System Administrator role.

  2. Click Administration icon.

  3. Select System Settings.

  4. Click Security Risk Ranking.

  5. In the Security Risk Ranking section, drag and drop the tiles so that the ranking is in the correct order.

  6. Click Save.

    A confirmation dialog box appears. Do one of the following:

    • Click Confirm.

      The VulnerabilitySummaryFetchJob starts once you click Confirm.

      Refresh the page to update the status of these jobs on this page. You can also view the status on the Jobs page.

      Once these jobs complete, the new security rankings appear in the Black Duck UI.

    • Click Cancel.

      The security risk configuration ranking returns to its previous order.