Vulnerability severity levels

GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever possible. The following is a list of available GitLab vulnerability severity levels, ranked from most to least severe:

  • Critical
  • High
  • Medium
  • Low
  • Info
  • Unknown

Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each open source scanning tool provides their own native vulnerability severity level value. These values can be one of the following:

Native vulnerability severity level type Examples
String WARNING, ERROR, Critical, Negligible
Integer 1, 2, 5
CVSS v2.0 Rating (AV:N/AC:L/Au:S/C:P/I:P/A:N)
CVSS v3.1 Qualitative Severity Rating CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers convert from the above values to a standardized GitLab vulnerability severity level, as outlined in the following tables:

SAST

GitLab analyzer Outputs severity levels? Native severity level type Native severity level example
security-code-scan No N/A N/A
brakeman No N/A N/A
sobelow Yes N/A Hardcodes all severity levels to Unknown
nodejs-scan Yes String INFO, WARNING, ERROR
flawfinder Yes Integer 0, 1, 2, 3, 4, 5
eslint Yes N/A Hardcodes all severity levels to Unknown
SpotBugs Yes Integer 1, 2, 3, 11, 12, 18
gosec Yes String HIGH, MEDIUM, LOW
bandit Yes String HIGH, MEDIUM, LOW
phpcs-security-audit Yes String ERROR, WARNING
pmd-apex Yes Integer 1, 2, 3, 4, 5
kubesec Yes String CriticalSeverity, InfoSeverity
secrets Yes N/A Hardcodes all severity levels to Critical

Dependency Scanning

GitLab analyzer Outputs severity levels? Native severity level type Native severity level example
bundler-audit Yes String low, medium, high, critical
retire.js Yes String low, medium, high, critical
gemnasium Yes CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating (AV:N/AC:L/Au:S/C:P/I:P/A:N), CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Container Scanning

GitLab analyzer Outputs severity levels? Native severity level type Native severity level example
klar Yes String Negligible, Low, Medium, High, Critical, Defcon1

Fuzz Testing

All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing.