Severity levels of detected Linux vulnerabilities

When determining the severity level of a Linux vulnerability (Low, Medium, High, Critical), Snyk Container considers multiple factors:

• Snyk internal analysis

• An assessment of the severity provided by the Linux distribution security maintainers

• The severity of the vulnerability, as assessed by the National Vulnerability Database (NVD).

In certain cases, NVD assigns a different CVSS vector and severity score from the security maintainers of a particular Linux distribution. When this occurs, Snyk prioritizes and uses the CVSS and severity determined by the Linux distribution maintainers, as asserted by the relative importance feature.

Relative importance feature

Relative importance asserts a common severity for a vulnerability and shows the underlying detailed information for that severity based on multiple sources. This allows developers and analysts to view a common level of importance and exposes the underlying information that contributed to the asserted severity.

Snyk supports relative importance in Ubuntu, Debian, Red Hat Enterprise Linux (RHEL), CentOS, Amazon Linux, Oracle Linux, and SUSE Linux Enterprise Server (SLES).

View relative importance

For each issue, information appears on the Project page, under Security information.

External information sources for relative importance

To provide information for the distribution, Snyk uses the following external sources:

• NVD Severity

• Debian Severity Levels and no-dsa issues

• Ubuntu CVE Priority

• Red Hat Enterprise Linux Severity Rating

• SUSE Linux Enterprise Security Rating Overview

• Amazon Linux

View NVD Score and Severity for Linux vulnerabilities

To create a report showing only NVD Score and Severity (without the Linux-maintainer rating), add the NVD Score and NVD Severity columns in the Issues Detail report.