You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the findings score (calculated by the get_findings_score method of the Findings class) returns different scores depending on whether the used --sh-filters includes one or more findings of the same resource, which I think doesn't make sense. Let me give you an example:
Let's say I have a resource with ID resourceA, which has 5 findings: 2 CRITICAL, 2 HIGH, and 1 INFORMATIONAL.
If Metahub is executed using --sh-filters Id="", the get_findings_score method will return 0 (the math is 0/4) as findings_severity_value["INFORMATIONAL"] is 0.
However, if Metahub is executed using --sh-filters ResourceId="resourceA", the get_findings_score method will return 1 (the math is (4/4)+(4/4)+(3/4)+(3/4)+(0/4) which equals 3.5 and is capped to 1).
This value is then used in the generate_impact_scoring method of the Impact class to calculate the criticality score.
The goal of this example is to show that currently, Metahub's calculated criticality of a finding is heavily dependent on how Metahub is executed, which has nothing to do with the AWS environment in which it is executed or the finding context. This has some unwanted (at least from my point of view) consequences such as:
An INFORMATIONAL finding will have the same criticality as a CRITICAL if Metahub is executed filtering by resource ID.
If Metahub is executed with a broad filter (or no filter at all) it will generate higher criticality values than if it is executed filtering by finding ID.
Has this case been evaluated? I would like to know if anything is wrong with my analysis or if there is a way to mitigate this behavior.
Thanks
The text was updated successfully, but these errors were encountered:
Hi
Currently, the findings score (calculated by the get_findings_score method of the Findings class) returns different scores depending on whether the used --sh-filters includes one or more findings of the same resource, which I think doesn't make sense. Let me give you an example:
Let's say I have a resource with ID resourceA, which has 5 findings: 2 CRITICAL, 2 HIGH, and 1 INFORMATIONAL.
If Metahub is executed using --sh-filters Id="", the get_findings_score method will return 0 (the math is 0/4) as findings_severity_value["INFORMATIONAL"] is 0.
However, if Metahub is executed using --sh-filters ResourceId="resourceA", the get_findings_score method will return 1 (the math is (4/4)+(4/4)+(3/4)+(3/4)+(0/4) which equals 3.5 and is capped to 1).
This value is then used in the generate_impact_scoring method of the Impact class to calculate the criticality score.
The goal of this example is to show that currently, Metahub's calculated criticality of a finding is heavily dependent on how Metahub is executed, which has nothing to do with the AWS environment in which it is executed or the finding context. This has some unwanted (at least from my point of view) consequences such as:
Has this case been evaluated? I would like to know if anything is wrong with my analysis or if there is a way to mitigate this behavior.
Thanks
The text was updated successfully, but these errors were encountered: