Risk Score

The Snyk Risk Score is a single value assigned to an issue, applied by automatic risk analysis for all vulnerability-type issues. License issues are not currently supported. Risk Score is based on the potential impact and likelihood of exploitability. Ranging from 0 to 1,000, the score represents the risk imposed on your environment and enables a risk-based prioritization approach.

Risk score remains the same over time if the contributing factors do not change. However, some contributing factors, such as Exploit Prediction Scoring System (EPSS), potentially can change frequently. The number of days since the vulnerability was first published is also a factor and causes the score to change once, when the number of days becomes more than one year and the likelihood subscore decreases.

Since real risk is scarce, you should expect a significant drift in the distribution of scores, as can be seen in this example of Project score distributions:

Risk Score replaces the Priority Score directly. See the priority score docs for how to interact with the Risk Score in the UI, API, and Reports, where the Risk Score is now introduced when enabled.

Risk Score is not available in the CLI.

Explore the Risk Score by issue

When looking at Issue card information, hover over the score to see the type of score (Priority or Risk Score) that is being displayed. The Risk Score tooltip provides information about the subscore and the Risk Factors contributing to the score.

About the Risk Score model

The model that powers the Risk Score applies automatic risk analysis for each security issue based on the potential impact and likelihood of exploitability.

Impact subscore

Objective impact factors are the CVSS impact metrics, Availability, Confidentiality, Integrity, and Scope, calculated based on the CVSS impact subscore. For Container issues, Provider Urgency is also taken into account.

The business criticality Project attribute will be taken into account as a contextual impact factor, increasing or decreasing the impact subscore. For more information, see Project attributes.

Likelihood subscore

Objective likelihood factors are taken into account:

• Exploit Maturity

• Exploit Prediction Scoring System (EPSS)

• Age of advisory

• CVSS exploitability metrics: Attack vector, Privileges required, User interaction, and Scope

• Social Trends

• Malicious Package

• Provider Urgency (Snyk Container)

• Package popularity (Snyk Open Source)

• (Forthcoming) Disputed vulnerability

Contextual likelihood factors then increase or decrease the likelihood subscore:

• Reachability (Snyk Open Source Java only, JavaScript to be supported)

• Transitive depth

• (Forthcoming) Insights such as Deployed , OS condition and Public Facing

Risk factors drill down

Objective impact risk factors

Confidentiality

Represents the impact on customer’s data confidentiality, based on CVSS definition. Possible input values: None, Low, High

Integrity

Represents the impact on customer’s data integrity, based on CVSS definition. Possible input values: None, Low, High

Availability

Represents the impact of customer’s application availability based on CVSS definition. Possible input values: None, Low, High

Scope

Indicates whether the vulnerability can affect components outside of the target’s security scope, based on CVSS definition. The objective impact subscore is calculated based on the CVSS impact subscore. For more information, see the references on CVSS definitions above and the subscore equations.

Provider urgency (Snyk Container)

Urgency rating as provided by the relevant operating system distribution security team. For more information, see External information sources for relative importance in severity levels of detected Linux vulnerabilities.

Contextual impact risk factor

Business criticality

User-defined Project attribute representing the subjective business impact of the respective application. For more information, see Project attributes.

Objective likelihood risk factors

Exploit maturity

Represents the existence and maturity of any public exploit retrieved and validated by Snyk. For more information, see View exploits, How exploits are determined.

EPSS score

Exploit Prediction Scoring System (EPSS), predicting whether a CVE will be exploited in the wild, based on an elaborated model created and owned by the FIRST Organization. The probability is the direct output of the EPSS model and conveys an overall sense of the threat of exploitation in the wild. This data is updated daily, relying on the latest available EPSS model version. See the EPSS documentation for more details. Possible input values: EPSS score [0.00-1.00]

Attack vector

Represents the context by which vulnerability exploitation is possible, based on the CVSS definition.

Attack complexity

Represents the level of complexity defined by the conditions that must exist to exploit the vulnerability, based on the CVSS definition.

Privileges required

Represents the level of privileges an attacker must possess before successfully exploiting the vulnerability, based on the CVSS definition.

User interaction

Represents the need for action from a user as part of the exploitation process, based on the CVSS definition.

Social trends

Represents the social media traffic regarding this vulnerability. Snyk research has shown that greater social media interaction can predict future exploitation or point to existing exploitation. For more information, see Vulnerabilities with social trends.

Malicious package

Malicious code deployed as a supply chain dependency is considered highly exploitable.

Age of vulnerability

A new vulnerability (up to one year) is more likely to be exploited than an old vulnerability (more than one year since publication)

Package popularity (Snyk Open Source)

If a package is relatively more popular for its ecosystem, it is more likely to be exploited as hackers benefit from a wider pool of potential targets.

CVE disputed (forthcoming)

These are CVEs that have been acknowledged as being disputed by their Project maintainer or the community at large. Snyk research shows that none of the disputed CVEs in the Snyk Vulnerability DB have been exploited in the wild.

Provider urgency (Snyk Container)

Importance rating as provided by the relevant operating system distribution security team. For more information, see External information sources for relative importance in severity levels of detected Linux vulnerabilities.

Contextual likelihood risk factors

Transitive depth

Building on past studies, Snyk research has shown that if a vulnerability is introduced to a Project transitively rather than directly, it is less likely that an exploitable function path will exist.

Reachability

Snyk static code analysis determines whether the vulnerable method is being called. This is currently supported only in Java; JavaScript support is coming soon. For more information, see Reachable vulnerabilities. When Reachability is not enabled, the Likelihood subscore will not change, and the factor will not show up.

OS condition (forthcoming)

Whether or not the operating system and architecture of a given resource are relevant to this specific issue

Deployed (forthcoming)

Whether or not the container image introducing this issue is deployed.

Public facing (forthcoming)

Whether or not the asset introducing this issue is exposed to the Internet.