STO assigns a severity score to each detected vulnerability. Each score is based on the Common Vulnerability Scoring System (CVSS) version 3.1. If a vulnerability doesn't have a universal CVSS score, STO uses the score assigned by the scanner that detected the vulnerability.
Each detected issue in STO has a severity score (from 0 to 10) and severity level (Info, Low, Medium, High, or Critical). STO classifies severities as follows.
Severity scores are based on the Common Vulnerability Scoring System v3.1 specification. CVSS is a common framework for classifying the severity and characteristics of known software vulnerabilities. CVSS calculates each score using an extensive set of metrics that considers factors such as:
How easy it is to exploit the vulnerability.
The resources that can be affected if an attack succeeds.
The confidentiality of data (such as passwords or personal access tokens) that can be exposed.
The level of remediation required to fix the vulnerability.
For specific details, see the CVSS 3.1 specification. You can also search the NIST National Vulnerability database for detailed information about specific vulnerabilities.
In some cases, a scanner might detect a vulnerability without a CVSS score. In this case, STO uses the score determined by the scanner. For more information, go to the external scanner documentation.
Each vulnerability also has a severity level based on its CVSS score. Because each score is based on an extensive and highly granular set of metrics and calculations, vulnerabilities with similar scores can vary in their characteristics and effects. However, vulnerabilities with the same level often have some common characteristics.
|CRITICAL||9 - 10||Critical vulnerabilities often have the following characteristics:|
|HIGH||7 - 8.9||High-severity vulnerabilities often have the following characteristics:|
|MEDIUM||4.0 - 6.9||Medium-severity vulnerabilities often have the following characteristics:|
|LOW||0.1 - 3.9||Low-severity vulnerabilities often have the following characteristics:|
|INFO||-1.0 or 0.0||A software or other issue that has no security impact. For example: bugs, incorrect API calls, code smells, and so on.|