What is the Snyk Priority Score?
Snyk created a Priority Score to make the prioritization of issues as quick and easy as possible, ensuring the highest-risk issues have the highest score.
Snyk's security group found a significant correlation between trending vulnerabilities and exploits or proof of concept's that can be found in the wild. Social trends are calculated and shown for all issues, vulnerabilities and licenses and range from 0 to 1,000 (0 is considered low risk and 1,000 is considered critical). This gives users a high degree of granularity that reflects the many considerations taken into account. The granularity avoids having too many issues ending up with the same score so users can determine priority at a glance with a high degree of accuracy.
For each issue, Snyk processes and weighs several factors in a proprietary algorithm, to produce the score for that issue.
Currently, these factors include:
- Fixability (availability of a fix): without a safer version to upgrade to, or a Snyk patch available, developers must either fix the code themselves or use an alternative package. So vulnerabilities with fixes are given higher priorities.
- Time: new vulnerabilities are likely to be an increased risk, so increasing priority score.
- Malicious Packages: Snyk will prioritize vulnerabilities originating from malicious packages.
A number of specific factors contribute to priority calculation for Snyk Code, including:
- Severity levels
- Number of vulnerability occurrences
- Rule tags: decrease if beta tags are found
- Open community projects: if this vulnerability is fixed widely
- Hot files: if the vuln is in the source file, or inside a code flow
- Fixability: If we have fix examples available for this issue
Scores can be seen on each issue in the projects view, with all issues now sorted by the Priority Score, to show you the most pressing issues first.
Issues can be filtered on the left.
The Issues tab in the reports includes the Priority Score as it's own sortable column. By default the table is already sorted by the score, to show you the most pressing issues first.
Issues can also be filtered by the score.
Various issue-related API calls now include the scores in the response, and support filtering by the score.
Read more about the relevant API calls:
There are no settings related to the Priority Score. They have no active impact, so are just extra metadata, so they cannot be disabled or hidden.