Severity Levels for Security Vulnerabilities
The severity level of a specific security vulnerability is pulled from the National Vulnerability Database (NVD) or from another advisory database used to identify the vulnerability. The severity is based on the vulnerability’s CVSS (Common Vulnerability Scoring System) score.
SBOM Management uses the CVSS v3.x scoring system, which includes v3.1 and v3.0. A given security vulnerability can have either a 3.1 or 3.0 score, not both.
The color-coded segments in Vulnerabilities bar graph represent the following severity levels:
- Dark brown—Critical severity (CVSS v3.x score 9.0 - 10.0)
- Red—High severity (CVSS v3.x score7.0 - 8.9)
- Gold—Medium severity (CVSS v3.x score 4.0 - 6.9)
- Yellow—Low severity (CVSS v3.x score 0.1 - 3.9)
- Gray—No severity available (N/A) due to lack of a CVSS v3.x score
The following Vulnerabilities bar graph reflects vulnerability counts for an example SBOM part. This specific graph indicates 11 vulnerabilities of critical severity, 14 of high severity, 4 of medium severity, 0 of low severity, and 33 of unknown severity.