Stay organized with collectionsSave and categorize content based on your preferences.
This document describes how Artifact Analysis evaluates vulnerabilities and
assigns severity levels.
Artifact Analysis rates vulnerability severity using the following levels:
Critical
High
Medium
Low
These severity levels are qualitative labels that reflect factors such as
exploitability, scope, impact, and maturity of the vulnerability. For example,
if a vulnerability enables a remote user to access a system and run arbitrary
code without authentication or user interaction, that vulnerability
would be classified asCritical.
Two additional types of severity are associated with each vulnerability:
Effective severity - Depending on the vulnerability type:
OS packages - The severity level assigned by the Linux distribution
maintainer. If these severity levels are unavailable,
Artifact Analysis uses the severity value from the note provider,(NVD). If NVD's CVSS v2 rating is
unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
Language packages - Theseverity levelassigned by
the GitHub Advisory Database, with a slight difference:Moderateis reported asMedium.
CVSS score- The Common
Vulnerability Scoring System score and associated severity level, with two
scoring versions:
CVSS 2.0- Available when
using the API, the Google Cloud CLI, and the GUI.
CVSS 3.1- Available when
using the API and the gcloud CLI.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eArtifact Analysis evaluates and assigns severity levels to vulnerabilities based on factors like exploitability and impact.\u003c/p\u003e\n"],["\u003cp\u003eSeverity levels include Critical, High, Medium, and Low, providing a qualitative assessment of each vulnerability.\u003c/p\u003e\n"],["\u003cp\u003eEffective severity is determined by either the Linux distribution maintainer for OS packages or the GitHub Advisory Database for language packages, and it differs slightly from the severity levels.\u003c/p\u003e\n"],["\u003cp\u003eThe CVSS score, available in versions 2.0 and 3.1, provides a quantitative measure of vulnerability severity, complementing the qualitative severity levels.\u003c/p\u003e\n"]]],[],null,["# Severity levels in Artifact Analysis\n\nThis document describes how Artifact Analysis evaluates vulnerabilities and\nassigns severity levels.\n\nArtifact Analysis rates vulnerability severity using the following levels:\n\n- Critical\n- High\n- Medium\n- Low\n\nThese severity levels are qualitative labels that reflect factors such as\nexploitability, scope, impact, and maturity of the vulnerability. For example,\nif a vulnerability enables a remote user to access a system and run arbitrary\ncode without authentication or user interaction, that vulnerability\nwould be classified as `Critical`.\n\nTwo additional types of severity are associated with each vulnerability:\n\n- Effective severity - Depending on the vulnerability type:\n\n - OS packages - The severity level assigned by the Linux distribution maintainer. If these severity levels are unavailable, Artifact Analysis uses the severity value from the note provider, [(NVD)](https://nvd.nist.gov/vuln-metrics). If NVD's CVSS v2 rating is unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.\n - Language packages - The [severity level](https://docs.github.com/en/graphql/reference/enums#securityadvisoryseverity) assigned by the GitHub Advisory Database, with a slight difference: *Moderate* is reported as *Medium*.\n- [CVSS score](https://www.first.org/cvss/v3.1/user-guide#Scoring-Guide) - The Common\n Vulnerability Scoring System score and associated severity level, with two\n scoring versions:\n\n - [CVSS 2.0](https://www.first.org/cvss/v2/guide) - Available when using the API, the Google Cloud CLI, and the GUI.\n - [CVSS 3.1](https://first.org/cvss/v3.1/user-guide) - Available when using the API and the gcloud CLI.\n\nWhat's next\n-----------\n\n- [Investigate vulnerabilities](/artifact-analysis/docs/investigate-vulnerabilities).\n- [Gate builds in your Cloud Build pipeline](/artifact-analysis/docs/ods-cloudbuild) based on vulnerability severity."]]
