Open for Voting
over 1 year ago

Add support for CVSS 3.0 for Firmware Vulnerabilities

As of NCM V7.9, NCM uses the old NIST XML feed, which provides CVSS 2.0 Base Impact Scores. CIsco's Security Bulletin default has been CVSS 3.0 for awhile now. The XML Feed was scheduled to retire in April, 2019, but has been extended to October 9, 2019:

NVD - XML Vulnerability Feed Retirement

Please start using the JSON feed, which supports both CVSS 2.0 and CVSS 3.0.

In addition, please break out the Impact metrics to allow better search and sorting of more critical issues. Medium/High/Critical Base scores are not that useful by themselves.

Some example JSON fields in this regard:

"impact" : {

      "baseMetricV3" : {

        "cvssV3" : {

          "version" : "3.0",

          "vectorString" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",

          "attackVector" : "NETWORK",

          "attackComplexity" : "LOW",

          "privilegesRequired" : "NONE",

          "userInteraction" : "REQUIRED",

          "scope" : "CHANGED",

          "confidentialityImpact" : "LOW",

          "integrityImpact" : "LOW",

          "availabilityImpact" : "NONE",

          "baseScore" : 6.1,

          "baseSeverity" : "MEDIUM"


        "exploitabilityScore" : 2.8,

        "impactScore" : 2.7


      "baseMetricV2" : {

        "cvssV2" : {

          "version" : "2.0",

          "vectorString" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",

          "accessVector" : "NETWORK",

          "accessComplexity" : "MEDIUM",

          "authentication" : "NONE",

          "confidentialityImpact" : "NONE",

          "integrityImpact" : "PARTIAL",

          "availabilityImpact" : "NONE",

          "baseScore" : 4.3


        "severity" : "MEDIUM",

        "exploitabilityScore" : 8.6,

        "impactScore" : 2.9,

        "acInsufInfo" : false,

        "obtainAllPrivilege" : false,

        "obtainUserPrivilege" : false,

        "obtainOtherPrivilege" : false,

        "userInteractionRequired" : true



Ideally, as part of CVSS v3.0, we should be able to enter, save, and report on Temporal and Environmental Metrics for each device:

CVSS v3.0 Specification Document

3. Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence that one has in the description of a vulnerability.

4. Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user's organization, measured in terms of complementary/alternative security controls in place, Confidentiality, Integrity, and Availability. The metrics are the modified equivalent of base metrics and are assigned metrics value based on the component placement in organization infrastructure.

We currently have to do this with painful spreadsheets. Temporal metrics do not appear in the current JSON feed, and have to be researched.