When Snyk determines the severity level (Low, Medium, High, Critical) of a Linux vulnerability for the Snyk Container product, we consider multiple factors:
Snyk's internal analysis
An assessment of the severity provided by the Linux distribution maintainer’s security team
The severity of the vulnerability as assessed by the National Vulnerability Database (NVD)
In certain cases, NVD may assign a different CVSS vector and severity score than the security maintainers of a particular Linux distribution. When this occurs, we prioritize and use the severity as determined by the Linux distribution maintainers as described in our relative importance feature.
Relative Importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity, based on multiple sources. This helps developers and analysts view a common level of importance, and exposes the underlying information that helped form the given severity.
View relative importance
New information appears in the Security information section of the project page, for each issue:
Example for a vulnerability by Ubuntu as Low, and rated by NVD as Critical.
We currently support relative importance in: Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux and SUSE Linux Enterprise Server (SLES).
External information sources
We use the following external sources to provide this information for the distros: