Customers who use Meterian to discover and fix vulnerabilities often ask this question.
Meterian’s assessment report displays two scores labelled Security and Stability, which were described in an earlier post. Assuming a project has no vulnerabilities until one is found, Meterian’s Continuous Security Platform initially assigns a project a score of 100 until it finds a vulnerability. We trust you understand why no code is ever 100% secure and free from vulnerabilities.
Finding a vulnerability will result in points being deducted from the initial score “perfect” score of 100 depending on the vulnerability advice type and its severity.
We have three vulnerability advice types:
- Security This type of advice is usually related to a very well known security flaw in a library, such as the infamous CVE-2017-5638 that caused the recent Equifax disaster. Deductions for the Security score are based on the Common Vulnerability Scoring System (CVSS) score of the vulnerability advisory and then multiplied by a factor of 5. In this case, CVE-2017-5638 was assigned a score of 6 by CVSS and therefore Meterian would deduct 6 x 5 = 30 points.
- Defect This type of advice is used to report a serious defect in a library that can potentially affect the stability of your system. For example, the memory leak that affects certain versions of Hibernate is a very well known ORM library defect. Deductions for defect types depend on their severity:
- minus 20 for each Defect advice with high severity
- minus 10 for each Defect advice with medium severity
- minus 4 for each Defect advice with low severity
- minus 1 for any direct depending library where a patch version is available
- Suggestion This type of advice provides a suggestion from Meterian for projects to swap a library for another or to upgrade to the next version for better code maintenance which may impact the security or stability of your code.
The amount of points deducted depends on the severity of the vulnerability. In our view, lower scores indicate higher risk from vulnerabilities detected in your code. We prefer to err on the side of caution and indicate a strong signal for security risk rather than send a mild signal that might result in security risks being overlooked.
Some may think our scoring applies a harsh judgement. Recalling our previous example of CVE-2017-5638, this security advice type has a high score of 10 and therefore Meterian would penalize the Security score of projects with this dependency by -50 points. Isn’t it better to receive a stronger alert to call attention to bolster your code’s security rather than risk a more mild alert that could lead to undeserved complacency?
So please don’t be intimidated by seeing Security or Stability scores of 0! Make haste to fix the problems reported as soon as possible to avoid software decay and security risks that are preventable.