Assessment Analysis Risk Rating

name: Dynamic Severity Adjustments
about: Hoppr-cop adjusts the severity ratings of a finding based on the original score and the justification/state of the finding.

Is your feature request related to a problem? Please describe

Hoppr-Cop supports the process of documenting an assessment of impact, including identifying false positives associated with hoppr-cop scan results. This will lower the severity rating of a finding down to a low, but it does not completely remove the finding. If the state of the assessment is resolved, resolved_with_pedigree, false_positive, or not_affected, the associated vulnerability severity will be lowered to low

This auto severity adjustment to low could provide a false sense of security and may be abused.

Describe the solution you'd like

Vulnerability finding severity adjustments should be unique to each finding's original scoring. Suggest creating a hierarchy of severity adjustment multipliers that varies based on the set state (e.g. resolved vs false positive vs resolved_with_pedigree). This multiplier is weighted against the original security score (e.g. Critical -> High, Critical -> Medium Critical -> Low).

Describe alternatives you've considered

3rd party exception/assessment toolsets.