Back to catalog

Fixable CVSS >= 7

No violationsstackroxhighbuilddeploy

Alert on deployments with fixable vulnerabilities with a CVSS of at least 7

Rationale
Known vulnerabilities make it easier for adversaries to exploit your application. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).
Remediation
Use your package manager to update to a fixed version in future builds or speak with your security team to mitigate the vulnerabilities.
CategoriesVulnerability Management
Compliance mappingsView coverage →
DORA EU 2022/2554
Art. 9.4(c)
ISO/IEC 27001 2022
A.8.8
NIST SP 800-53 rev. 5
RA-5SI-2
PCI DSS 4.0
6.3.16.3.3
SOC 2 2017 TSC
CC7.1

Generated artifacts

1 of 5 targets supported
fixable-cvss-7.rego
# Fixable CVSS >= 7 (trivy)
# severity: high
# source: stackrox/f09f8da1-6111-4ca0-8f49-294a76c65115
package trivy.fixable_cvss_7

deny[msg] {
  # rule 1
  some v
  v := input.Vulnerabilities[_]
  v.FixedVersion != ""
  some v
  v := input.Vulnerabilities[_]
  v.CVSS.Score >= 7
  msg := "[high] Fixable CVSS >= 7: Alert on deployments with fixable vulnerabilities with a CVSS of at least 7"
}
IR (canonical)
{
  "id": "f09f8da1-6111-4ca0-8f49-294a76c65115",
  "name": "Fixable CVSS >= 7",
  "description": "Alert on deployments with fixable vulnerabilities with a CVSS of at least 7",
  "rationale": "Known vulnerabilities make it easier for adversaries to exploit your application. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
  "remediation": "Use your package manager to update to a fixed version in future builds or speak with your security team to mitigate the vulnerabilities.",
  "severity": "high",
  "categories": [
    "Vulnerability Management"
  ],
  "lifecycle": [
    "build",
    "deploy"
  ],
  "eventSource": "none",
  "scope": [],
  "exclusions": [],
  "enforcement": {
    "failBuild": true
  },
  "expression": {
    "op": "and",
    "children": [
      {
        "op": "criterion",
        "field": "fixed-by",
        "values": [
          ".*"
        ],
        "valuesOp": "or",
        "negate": false
      },
      {
        "op": "criterion",
        "field": "cvss",
        "values": [
          ">= 7.000000"
        ],
        "valuesOp": "or",
        "negate": false
      }
    ]
  },
  "disabled": true
}
Original StackRox JSON
{
  "id": "f09f8da1-6111-4ca0-8f49-294a76c65115",
  "name": "Fixable CVSS >= 7",
  "description": "Alert on deployments with fixable vulnerabilities with a CVSS of at least 7",
  "rationale": "Known vulnerabilities make it easier for adversaries to exploit your application. You can fix these high-severity vulnerabilities by updating to a newer version of the affected component(s).",
  "remediation": "Use your package manager to update to a fixed version in future builds or speak with your security team to mitigate the vulnerabilities.",
  "disabled": true,
  "categories": [
    "Vulnerability Management"
  ],
  "lifecycleStages": [
    "BUILD",
    "DEPLOY"
  ],
  "eventSource": "NOT_APPLICABLE",
  "exclusions": [],
  "scope": [],
  "severity": "HIGH_SEVERITY",
  "enforcementActions": [
    "FAIL_BUILD_ENFORCEMENT"
  ],
  "policySections": [
    {
      "sectionName": "",
      "policyGroups": [
        {
          "fieldName": "Fixed By",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ".*"
            }
          ]
        },
        {
          "fieldName": "CVSS",
          "booleanOperator": "OR",
          "negate": false,
          "values": [
            {
              "value": ">= 7.000000"
            }
          ]
        }
      ]
    }
  ],
  "notifiers": [],
  "lastUpdated": null,
  "SORTName": "",
  "SORTLifecycleStage": "",
  "SORTEnforcement": false,
  "policyVersion": "1.1",
  "mitreAttackVectors": [],
  "criteriaLocked": true,
  "mitreVectorsLocked": true,
  "isDefault": true,
  "source": "IMPERATIVE"
}