⭐️ human readable impact value #5046
Conversation
|
Is the long term goal here also to rename that field so we don't cause confusion about impact vs. risk rating? |
explorer/impact.go
Outdated
| "low": 10, | ||
| "medium": 40, | ||
| "high": 70, | ||
| "critical": 100, |
There was a problem hiding this comment.
I'd recommend to place the numbers in the middle of each of the ranges. Currently critical is on the top end of the range, while the others are on the low end. I think it would help better balance things. (That said, I could see the argument to leave critical the way you have it)
There was a problem hiding this comment.
Right now, I used always the lowest number except for critical because it felt strange to have 90 for critical. I see both options: lowest or middle values working. I would appreciate if you could propose the middle values so I can just adjust to those.
There was a problem hiding this comment.
The middle would be: 95 critical, 80 high, 55 medium, 20 low, 0 none
There was a problem hiding this comment.
The problem with having the lower values on everything is that it skews the calculation on all evaluations this way. I.e. it's very easy to have something that is high (low end 70) have a much too lower influence on the overall calculation (of an asset or a policy) because it is at the very bottom end of the scale. That's why I'd recommend against the lower end of the scale. Btw same reason applies to the top end of the scale. Third reason to pick the middle is to give us some wiggle room to adjust severities in policies within each band to prioritize things higher/lower
chris-rock
force-pushed
the
chris-rock/human-readable-impact
branch
from
11f38c2 to
14a2e51
Compare
Previously we only supported int values for query impacts, see https://github.com/mondoohq/cnspec-policies/blob/main/core/mondoo-linux-security.mql.yaml#L344
With this change, we can also use typical ratings which makes it easier for users to read the values: