Vulnerability risk assessment data
Use vulnerability risk data to help assess the potential impact to your environment.
-
Severity: Each vulnerability is assigned a standardized GitLab severity value.
-
For vulnerabilities in the Common Vulnerabilities and Exposures (CVE) catalog, the following data can be retrieved by using a GraphQL query:
- Likelihood of exploitation: Exploit Prediction Scoring System (EPSS) score.
- Existence of known exploits: Known Exploited Vulnerabilities (KEV) status.
Use this data to help prioritize remediation and mitigation actions. For example, a vulnerability with medium severity and a high EPSS score may require mitigation sooner than a vulnerability with a high severity and a low EPSS score.
EPSS
- Introduced in GitLab 17.4 with flags named
epss_querying(in issue 470835) andepss_intgestion(in issue 467672). Disabled by default. - Renamed to
cve_enrichment_queryingandcve_enrichment_ingestionrespectively and enabled on GitLab.com in GitLab 17.6.
The EPSS score provides an estimate of the likelihood a vulnerability in the CVE catalog will be exploited in the next 30 days. EPSS assigns each CVE a score between 0 to 1 (equivalent to 0% to 100%).
KEV
- Introduced in GitLab 17.7.
The KEV catalog lists vulnerabilities that are known to have been exploited. You should prioritize the remediation of vulnerabilities in the KEV catalog above other vulnerabilities. Attacks using these vulnerabilities have occurred and the exploitation method is likely known to attackers.
Query risk assessment data
Use the GraphQL API to query the severity, EPSS, and KEV values of vulnerabilities in a project.
The Vulnerability type in the GraphQL API has a cveEnrichment field, which is populated when the
identifiers field contains a CVE identifier. The cveEnrichment field contains the CVE ID, EPSS
score, and KEV status for the vulnerability. EPSS scores are rounded to the second decimal digit.
For example, the following GraphQL API query returns all vulnerabilities in a given project and
their CVE ID, EPSS score, and KEV status (isKnownExploit). Run the query in the
GraphQL explorer or any other GraphQL
client.
{
project(fullPath: "<full/path/to/project>") {
vulnerabilities {
nodes {
severity
identifiers {
externalId
externalType
}
cveEnrichment {
epssScore
isKnownExploit
cve
}
}
}
}
}
Example output:
{
"data": {
"project": {
"vulnerabilities": {
"nodes": [
{
"severity": "CRITICAL",
"identifiers": [
{
"externalId": "CVE-2019-3859",
"externalType": "cve"
}
],
"cveEnrichment": {
"epssScore": 0.2,
"isKnownExploit": false,
"cve": "CVE-2019-3859"
}
},
{
"severity": "CRITICAL",
"identifiers": [
{
"externalId": "CVE-2016-8735",
"externalType": "cve"
}
],
"cveEnrichment": {
"epssScore": 0.94,
"isKnownExploit": true,
"cve": "CVE-2016-8735"
}
},
]
}
}
},
"correlationId": "..."
}