Vulnerability risk assessment data
Use vulnerability risk data to help assess the potential impact to your environment.
Severity: Each vulnerability is assigned a standardized GitLab severity value.
For vulnerabilities in the Common Vulnerabilities and Exposures (CVE) catalog, the following data can be retrieved by using a GraphQL query:
- Likelihood of exploitation: Exploit Prediction Scoring System (EPSS) score.
- Existence of known exploits: Known Exploited Vulnerabilities (KEV) status.
Use this data to help prioritize remediation and mitigation actions. For example, a vulnerability with medium severity and a high EPSS score may require mitigation sooner than a vulnerability with a high severity and a low EPSS score.
EPSS
The EPSS score provides an estimate of the likelihood a vulnerability in the CVE catalog will be exploited in the next 30 days. EPSS assigns each CVE a score between 0 to 1 (equivalent to 0% to 100%).
KEV
The KEV catalog lists vulnerabilities that are known to have been exploited. You should prioritize the remediation of vulnerabilities in the KEV catalog above other vulnerabilities. Attacks using these vulnerabilities have occurred and the exploitation method is likely known to attackers.
Query risk assessment data
Use the GraphQL API to query the severity, EPSS, and KEV values of vulnerabilities in a project.
The Vulnerability
type in the GraphQL API has a cveEnrichment
field, which is populated when the
identifiers
field contains a CVE identifier. The cveEnrichment
field contains the CVE ID, EPSS
score, and KEV status for the vulnerability. EPSS scores are rounded to the second decimal digit.
For example, the following GraphQL API query returns all vulnerabilities in a given project and
their CVE ID, EPSS score, and KEV status (isKnownExploit
). Run the query in the
GraphQL explorer or any other GraphQL
client.
{
project(fullPath: "<full/path/to/project>") {
vulnerabilities {
nodes {
severity
identifiers {
externalId
externalType
}
cveEnrichment {
epssScore
isKnownExploit
cve
}
}
}
}
}
Example output:
{
"data": {
"project": {
"vulnerabilities": {
"nodes": [
{
"severity": "CRITICAL",
"identifiers": [
{
"externalId": "CVE-2019-3859",
"externalType": "cve"
}
],
"cveEnrichment": {
"epssScore": 0.2,
"isKnownExploit": false,
"cve": "CVE-2019-3859"
}
},
{
"severity": "CRITICAL",
"identifiers": [
{
"externalId": "CVE-2016-8735",
"externalType": "cve"
}
],
"cveEnrichment": {
"epssScore": 0.94,
"isKnownExploit": true,
"cve": "CVE-2016-8735"
}
},
]
}
}
},
"correlationId": "..."
}
Vulnerability Prioritizer
- Status: Experiment
Use the Vulnerability Prioritizer CI/CD component to help prioritize a project’s vulnerabilities (namely CVEs). The component outputs a prioritization report in the vulnerability-prioritizer
job’s output.
Vulnerabilities are listed in the following order:
- Vulnerabilities with known exploitation (KEV) are top priority.
- Higher EPSS scores (closer to 1) are prioritized.
- Severities are ordered from
Critical
toLow
.
Only vulnerabilities detected by dependency scanning and container scanning are included because the Vulnerability Prioritizer CI/CD component requires data only available in Common Vulnerabilities and Exposures (CVE) records. Moreover, only detected (Needs triage) and confirmed vulnerabilities are shown.
To add the Vulnerability Prioritizer CI/CD component to your project’s CI/CD pipeline, see the Vulnerability Prioritizer documentation.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support