This document describes how Artifact Analysis evaluates vulnerabilities andassigns severity levels.

Artifact Analysis rates vulnerability severity using the following levels:

• Critical
• High
• Medium
• Low

These severity levels are qualitative labels that reflect factors such asexploitability, scope, impact, and maturity of the vulnerability. For example,if a vulnerability enables a remote user to access a system and run arbitrarycode without authentication or user interaction, that vulnerabilitywould be classified asCritical.

Two additional types of severity are associated with each vulnerability:

• Effective severity - Depending on the vulnerability type:

  • OS packages - The severity level assigned by the Linux distributionmaintainer. If these severity levels are unavailable,Artifact Analysis uses the severity value from the note provider,(NVD). If NVD's CVSS v2 rating isunavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
  • Language packages - Theseverity level assigned bythe GitHub Advisory Database, with a slight difference:Moderate is reported asMedium.

• CVSS score - The CommonVulnerability Scoring System score and associated severity level, with twoscoring versions:

  • CVSS 2.0 - Available whenusing the API, the Google Cloud CLI, and the GUI.
  • CVSS 3.1 - Available whenusing the API and the gcloud CLI.

What's next

• Investigate vulnerabilities.
• Gate builds in your Cloud Build pipeline based on vulnerability severity.