Stay organized with collections
Save and categorize content based on your preferences.
This document describes how Artifact Analysis evaluates vulnerabilities and
assigns severity levels.
Artifact Analysis rates vulnerability severity using the following levels:
Critical
High
Medium
Low
These severity levels are qualitative labels that reflect factors such as
exploitability, scope, impact, and maturity of the vulnerability. For example,
if a vulnerability enables a remote user to access a system and run arbitrary
code without authentication or user interaction, that vulnerability
would be classified as Critical.
Two additional types of severity are associated with each vulnerability:
Effective severity - Depending on the vulnerability type:
OS packages - The severity level assigned by the Linux distribution
maintainer. If these severity levels are unavailable,
Artifact Analysis uses the severity value from the note provider,
(NVD). If NVD's CVSS v2 rating is
unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
Language packages - The severity level assigned by
the GitHub Advisory Database, with a slight difference:
Moderate is reported as Medium.
CVSS score - The Common
Vulnerability Scoring System score and associated severity level, with two
scoring versions:
CVSS 2.0 - Available when
using the API, the Google Cloud CLI, and the GUI.
CVSS 3.1 - Available when
using the API and the gcloud CLI.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["Artifact Analysis evaluates and assigns severity levels to vulnerabilities based on factors like exploitability and impact."],["Severity levels include Critical, High, Medium, and Low, providing a qualitative assessment of each vulnerability."],["Effective severity is determined by either the Linux distribution maintainer for OS packages or the GitHub Advisory Database for language packages, and it differs slightly from the severity levels."],["The CVSS score, available in versions 2.0 and 3.1, provides a quantitative measure of vulnerability severity, complementing the qualitative severity levels."]]],[]]
