Vulnerability severity levels

GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever possible. The following is a list of available GitLab vulnerability severity levels, ranked from most to least severe:

  • Critical
  • High
  • Medium
  • Low
  • Info
  • Unknown

Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each open source scanning tool provides their own native vulnerability severity level value. These values can be one of the following:

Native vulnerability severity level typeExamples
String WARNING, ERROR, Critical, Negligible
Integer 1, 2, 5
CVSS v2.0 Rating(AV:N/AC:L/Au:S/C:P/I:P/A:N)
CVSS v3.1 Qualitative Severity RatingCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers convert from the above values to a standardized GitLab vulnerability severity level, as outlined in the following tables:

SAST

GitLab analyzerOutputs severity levels?Native severity level typeNative severity level example
security-code-scan YesString CRITICAL, HIGH, MEDIUM in analyzer version 3.2.0 and later. In earlier versions, hardcoded to Unknown.
brakeman YesString HIGH, MEDIUM, LOW
sobelow YesNot applicableHardcodes all severity levels to Unknown
nodejs-scan YesString INFO, WARNING, ERROR
flawfinder YesInteger 0, 1, 2, 3, 4, 5
eslint YesNot applicableHardcodes all severity levels to Unknown
SpotBugs YesInteger 1, 2, 3, 11, 12, 18
gosec YesString HIGH, MEDIUM, LOW
bandit YesString HIGH, MEDIUM, LOW
phpcs-security-audit YesString ERROR, WARNING
pmd-apex YesInteger 1, 2, 3, 4, 5
kubesec YesString CriticalSeverity, InfoSeverity
secrets YesNot applicableHardcodes all severity levels to Critical
semgrep YesString error, warning, note, none

Dependency Scanning

GitLab analyzerOutputs severity levels?Native severity level typeNative severity level example
gemnasium YesCVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating (AV:N/AC:L/Au:S/C:P/I:P/A:N), CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Container Scanning

GitLab analyzerOutputs severity levels?Native severity level typeNative severity level example
container-scanning YesString Unknown, Low, Medium, High, Critical

Fuzz Testing

All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing.