Impact on Policies When Code Insight’s CVSS Configuration Changes

If the Code Insight System Administrator changes the CVSS version for Code Insight, the following describes the impact on policies related to vulnerabilities on the Policy Details Window.

When CVSS v2.0 is switched to CVSS v3.x

Code Insight makes the following changes:

•

If the severity level for the Reject inventory items if any associated securities vulnerabilities have a severity level equal to or higher than... field was Unknown previously, it is now None.

•

An additional severity, Critical, is available for this same field.

When CVSS v3.x is switched to CVSS v2.0

Code Insight makes the following changes:

•

If the severity level for the Reject inventory items if any associated securities vulnerabilities have a severity level equal to or higher than... field was previously None, it is now Unknown.

•

If the severity level for this same field was previously Critical, note that this severity is no longer available. To handle the conversion, Code Insight checks to see if a score was previously entered in the Reject inventory items if any associated security vulnerabilities have a CVSS score above... field. If a score less than 9 was entered, that value is retained in the field (since the previous Critical severity started with the score 9). If a value greater than 9 or no value was entered, the value for this field is now 9.