|License Type||SaaS | On-Premise|
|Main Product Category||Contrast UI|
How are the severity levels of the findings determined and is it possible to adjust these?
The default rankings are baked into the Contrast agent's ruleset. The rules apply an Impact rating (how damaging would it be if this was exploited) and a Likelihood rating (what are the chances of this being exploited). We then use this to assign the severity:
We also take into account the confidence level, this is how confident we are that the finding is a true issue.The confidence of a finding indicates the certainty that this is a true vulnerability. The levels of confidence we use are based on the same levels used for CVE confidence: https://cve.mitre.org/data/board/archives/2000-11/msg00007.html. You can see the confidence for a specific rule by going to Policy Management -> Assess Rules, and clicking on the name of a particular rule. The High Confidence filter will show only those issues with the highest level of confidence.
If for any reason you don't agree with the severity Contrast has assigned, it can be tailored to your own preferences. To alter these settings for an entire rule, simply select your name in the top righthand corner of the TeamServer UI and select Policy Management. Then, under 'Assess Rules' you can navigate to the desired vuln/finding, click on the gear icon, check 'Override' to modify the severity. If you just wanted to alter the level for a specific vuln/finding, you can click on the severity level directly and make the adjustment.
For more details on how we rank vulnerabilities and managing your findings, please see: https://docs.contrastsecurity.com/user-vulns.html#manage-vuln