Hi all. I haven't been using MVM for long but I was asked if I could create a report that shows just the critical findings. From what I have seen with using MVM so far is that on a scan report it shows Informationals, Lows, Mediums, and Highs. There doesn't seem to be a critical category like on other vulnerability scanning tools. Or would we just consider the high findings to be the same as criticals?
i work with MVM for 1 and a half year now in the company where i work actually, we only report the high and medium vulns to the teams for correction the are considered critical.
A vulnerability set based upon CVSS v2 Metrics / Vectors can be created for use in Custom Reports and/or scans. As far as for CVSS v3, that should also be able to be created. I have not created such a set to date.
Below is a screenshot of a CVSS v2 MVM Rule-based Vulnerability Set that will pull CRITICAL Vulns based upon "CVSS v2 == 10"
The vuln set should include any vuln that has a CVSS score greater than or equal to 9.99509 in the NVD per what is listed in MVM.