Does Greenbone Community Edition Support CVSS 3.0?

Hello everyone,

I’m new to Greenbone and currently using the Greenbone Community Edition (GCE) on a daily basis. I noticed that it uses CVSS 2.0 by default, but I need to work with CVSS 3.0 instead.

Is there any way to upgrade to CVSS 3.0 within the Greenbone Community Edition, or would I need to migrate to the Greenbone Enterprise Appliances for this feature? I’ve looked for related information but haven’t found a clear answer yet.

1 Like

Hello,

and welcome to this community forums.

The Greenbone Community Edition supports CVSS3.0 since version 21.04 like announced here:

Keep in mind that various vulnerability tests (VTs) might not have a CVSSv3.x score assigned (yet) for various reasons.

3 Likes

Hi all,
I am also using GSA version 24.0.1.
Have been looking at how to enable Vulnerability scan reporting using the CVSS version 3 scoring system.

So far, any dashboard results or reports generated show that the system is using CVSS V2.

While I understand that some vulnerabilities and tests have not had a CVSSv3 score assigned, I would have thought some older CVE’s from say 2022 would have been? Is there any setting I need to change to facilitate CVSSv3 scoring.

Many thanks

Note that there is currently an issue where the string “Critical” is not displayed on top CVSSv3.x scores, but “High” instead. The score itself and the underlying calculation still conforms to CVSSv3.x. We hope to fix this issue with a future 24.10.x version.

If a vulnerability has CVSSv3.x data, the CVSSv3.x data will be used, else the CVSSv2 data will be used. This applies to both our community and enterprise products.

You can check this via the “CVSS Base Vector” property of NVTs and CVEs. See the attached screenshot for an example, using the Greenbone Free with the community feed from 2024-11-05:

2 Likes

Understood… thankyou for the explanation.
Regards
Quentin

1 Like