Severity levels in Artifact Analysis

This document describes how Artifact Analysis evaluates vulnerabilities and assigns severity levels.

Artifact Analysis rates vulnerability severity using the following levels:

• Critical
• High
• Medium
• Low

These severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.

Two additional types of severity are associated with each vulnerability:

• Effective severity - Depending on the vulnerability type:

  • OS packages - The severity level assigned by the Linux distribution maintainer. If these severity levels are unavailable, Artifact Analysis uses the severity value from the note provider, (NVD). If NVD's CVSS v2 rating is unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
  • Language packages - The severity level assigned by the GitHub Advisory Database, with a slight difference: Moderate is reported as Medium.

• CVSS score - The Common Vulnerability Scoring System score and associated severity level, with two scoring versions:

  • CVSS 2.0 - Available when using the API, the Google Cloud CLI, and the GUI.
  • CVSS 3.1 - Available when using the API and the gcloud CLI.

What's next

• Investigate vulnerabilities.
• Gate builds in your Cloud Build pipeline based on vulnerability severity.