Bigfix patch rating to vendor mapping

mcuff · August 10, 2023, 3:07pm

I have two questions relating to patch ratings and classification.

1/
I am trying to understand how BigFix patch ratings map to CVSS, Ubuntu and Redhat ratings. Is this documented anywhere?

Bigfix patch ratings are: Unspecified, Low, Moderate, Important, Critical

CVSS ratings are: None, Low, Medium, High, Critical

Ubuntu patch ratings are: Unknown, Negligible, Low, Medium, High, Critical

Redhat patch ratings are: Low, Moderate, Important, Critical

BigFix rating = Unspecified
CVSS = None
CVSS score = 0
Ubuntu classification = ?
Redhat classification = ?

BigFix rating = Low
CVSS = Low
CVSS score = 0.1-3.9
Ubuntu classification = ?
Redhat classification = ?

BigFix rating = Moderate
CVSS = Medium
CVSS score = 4.0-6.9
Ubuntu classification = ?
Redhat classification = ?

BigFix rating = Important
CVSS = High
CVSS score = 7.0-8.9
Ubuntu classification = ?
Redhat classification = ?

BigFix rating = Critical
CVSS = Critical
CVSS score = 9.0-10.0
Ubuntu classification = ?
Redhat classification = ?

2/
I am trying to understand how BigFix patch categories map to Ubuntu and Redhat ratings. Is this documented anywhere?

Bigfix categorises updates as: Bugfix, Enhancement, Security

Ububtu categorises updates as: Update (aka Release), Security

RHEL categorises updates as: Bugfix, Enhancement, Security

BigFix classification = Bugfix
Ubuntu classification = ?
Redhat classification = Bugfix

BigFix classification = Enhancement
Ubuntu classification = ?
Redhat classification = Enhancement

BigFix classification = Security
Ubuntu classification = Security
Redhat classification = Security

thanks
Mike

JasonWalker · August 10, 2023, 3:17pm

Generally for the Patch content we use whatever Severity was present in the vendor’s original bulletins / repo. As you can see in this screenshot, ‘Source Severity’ for RHEL patches map to Red Hat’s values “Low, Moderate, Important, Critical” while the Ubuntu patches map to Canonical’s values of “Low, Negligible, Medium, High, Unspecified”.

CVSS is not supplied for all the content, based on how it’s generated. Often a single patch will cover multiple CVEs with multiple CVSS scores.

For the Fixlets we’ve crafted specifically to audit against CVEs (like the Known Exploited Vulnerabilities Content Pack), we generate a fixlet specific to each CVE - even if multiple CVEs would be resolved in one patch, and those per-CVE detection fixlets contain the CVSS scores when they are available. There’s not a place to present CVSS scores in the default user interfaces, but they are embedded in MIME fields on the fixlets and are presented in the CVE Search Dashboard & Web Report.

mcuff · August 15, 2023, 3:30pm

Hello Jason,

Sorry missed your reply.

If I understand you correctly there is not a one to one correlation between fixlet and vendor package, a fixlet may contain multiple packages, packages maybe present in multiple fixlets. The fixlets are assigned category and rating based on vendor info.

I’d like to explain to my colleagues, how the ratings that the WEB UI ratings correspond to Ubuntu.

For Redhat there is a one to one mapping, but not Ubuntu. But is it as simple as this?

BigFix WeBUI>Unspecified = Ubuntu>Unknown & Ubuntu>Negligible
BigFix WeBUI>Low = Ubuntu>Low & Redhat>Low
BigFix WeBUI>Moderate = Ubuntu>Medium & Redhat>Moderate
BigFix WeBUI>Important = Ubuntu>High & Redhat>Important
BigFix WeBUI>Critical = Ubuntu>Critical & Redhat>Critical

Same for Classification, what do Ubuntu Release and Update map to?

BigFix WeBUI>BugFix = Ubuntu>??? & Redhat>BugFix
BigFix WeBUI>Enhancement = Ubuntu>??? & Redhat>Endhancement
BigFix WeBUI>BugFix = Ubuntu>Security & Redhat>Security

If I look in the console at Ubuntu fixlets I see 4 listed under negligible, ignoring the fact they are superseded, what would I select in WEB UI to get them installed?

thanks
Mike

JasonWalker · August 15, 2023, 5:52pm

Is this for Patch Policy? Patch Policy does have to do some work to normalize/categorize these severities just so we can use the same selections across all the different vendor values of patch severities. Just want to make sure I’m looking in the right place to give the mappings.

mcuff · August 15, 2023, 7:19pm

Hello Jason,

yes, its patch policies.

thanks
Mike

mcuff · August 18, 2023, 9:02am

Hello Jason,

could you please also include SUSE and Windows.

thanks
Mike

orbiton · August 18, 2023, 11:13am

If you want to know the mapping between WebUI Severity and the Fixlet Severity - you can check the following documentation - https://help.hcltechsw.com/bigfix/10.0/webui/WebUI/Users_Guide/c_patch_policy_overview.html#c_patch_policy_overview__section_bgs_1ch_dvb

I can also suggest if there is a missing mapping - Open a Support Ticket.
This is something that has been done before - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0105969

mcuff · August 18, 2023, 4:02pm

Thanks orbiton, just what I needed, one severity is missing, Ubuntu and negligible. Opening support call as you suggest.

orbiton · August 26, 2023, 8:51am

@mcuff Do you have an update about this?
EDIT : Nevermind , found the Defect Article - https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0107048