Severity levels of detected Linux vulnerabilities
When determining the severity level of a Linux vulnerability (Low, Medium, High, Critical), Snyk Container considers multiple factors:
Snyk’s internal analysis
An assessment of the severity provided by the Linux distribution maintainer’s security team
The severity of the vulnerability, as assessed by the National Vulnerability Database (NVD).
In certain cases, NVD assigns a different CVSS vector and severity score from the security maintainers of a particular Linux distribution. When this occurs, Snyk prioritizes and uses the CVSS and severity determined by the Linux distribution maintainers, as described by the relative importance feature.
Relative importance feature
Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity based on multiple sources. This helps developers and analysts view a common level of importance and exposes the underlying information that helped form the given severity.
View relative importance
For each issue, information appears on the Project page, under Security information.
Snyk supports relative Importance in Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux, and SUSE Linux Enterprise Server (SLES).
External information sources for relative importance
To provide information for the distribution, Snyk uses the following external sources:
Debian Severity Levels and no-dsa issues
Last updated