Understanding Severity Levels for Security Vulnerabilities
Code Insight obtains the severity level of a security vulnerability from the advisory database used to identify the vulnerability. The severity is based on the vulnerability’s CVSS (Common Vulnerability Scoring System) score, which can have two different values depending on the scoring system used to calculate it—CVSS v2.0 or v3.x. Code Insight supports both systems for displaying the scores and severities of security vulnerabilities. The Code Insight System Administrator determines which scoring system your system uses.
CVSS v3.x Scoring System
When Code Insight is configured to report security vulnerabilities using the CVSS v3.x scoring system, the color-coded segments in Vulnerabilities bar graph represent the following severity levels:
| • | Dark brown—Critical severity (CVSS score 9.0 - 10.0) |
| • | Red—High severity (CVSS score7.0 - 8.9) |
| • | Gold—Medium severity (CVSS score 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS score 0.1 - 3.9) |
| • | None—No severity available (N/A) |
The following Vulnerabilities bar graph reflects vulnerability counts for an inventory item when CVSS v3.x scoring is used. (The counts are based on vulnerability scores in all CVSS v3 systems supported by Code Insight, currently v3.1 and v3.0. A given vulnerability can have only one v3 score—either a v3.1 or v3.0 score, not both.) This specific graph indicates 13 vulnerabilities of critical severity, 5 of high severity, 3 of medium severity, 0 of low severity, and 5 of unknown severity.
CVSS v2.0 Scoring System
When Code Insight is configured to use the CVSS v2.0 scoring system, the color-coded segments in graph represent the following severity levels:
| • | Red—High severity (CVSS score 7.0 - 10.0) |
| • | Gold—Medium severity (CVSS score 4.0 - 6.9) |
| • | Yellow—Low severity (CVSS score 0.1 - 3.9) |
| • | Gray—Unknown severity (N/A) |
The following Vulnerabilities bar graph reflects vulnerability counts for the same inventory item referenced in the previous section, but in this case CVSS v2.0 scoring is used. Note that the graph shows the same total number of vulnerabilities as the previous graph shows, but the severity distribution is different. In this case, the graph indicates 13 vulnerabilities of high severity, 8 of medium severity, 5 of low severity, and 80 of unknown severity:
