Severity levels in Artifact Analysis

This document describes how Artifact Analysis evaluates vulnerabilities and assigns severity levels.

Artifact Analysis rates vulnerability severity using the following levels:

• Critical
• High
• Medium
• Low

These severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical .

Two additional types of severity are associated with each vulnerability:

• Effective severity - Depending on the vulnerability type:

  • OS packages - The severity level assigned by the Linux distribution maintainer. If these severity levels are unavailable, Artifact Analysis uses the severity value from the note provider, (NVD) . If NVD's CVSS v2 rating is unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
  • Language packages - The severity level assigned by the GitHub Advisory Database, with a slight difference: Moderate is reported as Medium .

• CVSS score - The Common Vulnerability Scoring System score and associated severity level, with two scoring versions:

  • CVSS 2.0 - Available when using the API, the Google Cloud CLI, and the GUI.
  • CVSS 3.1 - Available when using the API and the gcloud CLI.

What's next

• Investigate vulnerabilities .
• Gate builds in your Cloud Build pipeline based on vulnerability severity.