Severity levels of detected Linux vulnerabilities

When determining the severity level of a Linux vulnerability (Low, Medium, High, Critical), Snyk Container considers multiple factors:

• Snyk’s internal analysis

• An assessment of the severity provided by the Linux distribution maintainer’s security team

• The severity of the vulnerability, as assessed by the National Vulnerability Database (NVD).

In certain cases, NVD assigns a different CVSS vector and severity score from the security maintainers of a particular Linux distribution. When this occurs, Snyk prioritizes and uses the CVSS and severity determined by the Linux distribution maintainers, as described by the relative importance feature.

Relative importance feature

Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity based on multiple sources. This helps developers and analysts view a common level of importance and exposes the underlying information that helped form the given severity.

View relative importance

For each issue, information appears on the Project page, under Security information.

Snyk supports relative Importance in Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux, and SUSE Linux Enterprise Server (SLES).

External information sources for relative importance

To provide information for the distribution, Snyk uses the following external sources:

• NVD Severity

• Debian Severity Levels and no-dsa issues

• Ubuntu CVE Priority

• Red Hat Enterprise Linux Severity Rating

• SUSE Linux Enterprise Security Rating Overview

• Amazon Linux