Understanding the severity levels of detected Linux vulnerabilities

Snyk considers multiple factors to determine the severity level (Low, Medium, High, Critical) of a Linux vulnerability with Snyk Container:

• Snyk’s internal analysis

• An assessment of the severity provided by the Linux distribution maintainer’s security team

• The severity of the vulnerability as assessed by the National Vulnerability Database (NVD)

In certain cases, NVD may assign a different CVSS vector and severity score from the security maintainers of a particular Linux distribution. When this occurs, Snyk prioritizes and uses the CVSS and severity determined by the Linux distribution maintainers as described in the Snyk relative importance feature.

Relative importance feature

Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity based on multiple sources. This information helps developers and analysts view a common level of importance and exposes the underlying information that helped form the given severity.

View relative importance

New information appears in the Security information section of the Project page for each issue:

Snyk supports relative Importance in Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux, and SUSE Linux Enterprise Server (SLES).

External information sources for relative importance

We use the following external sources to provide this information for the distros:

• NVD Severity

• Debian Severity Levels and no-dsa issues.

• Ubuntu CVE Priority

• Red Hat Enterprise Linux Severity Rating

• SUSE Linux Enterprise Security Rating Overview

• Amazon Linux