Pirate Praveen 095190ed6e New upstream version 15.4.2+ds1

2022-10-11 01:57:18 +05:30

6.8 KiB

Raw Blame History

type	stage	group	info
reference	Govern	Threat Insights	To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments

Vulnerability severity levels (ULTIMATE)

GitLab vulnerability analyzers attempt to return vulnerability severity level values whenever possible. The following is a list of available GitLab vulnerability severity levels, ranked from most to least severe:

Critical
High
Medium
Low
Info
Unknown

Most GitLab vulnerability analyzers are wrappers around popular open source scanning tools. Each open source scanning tool provides their own native vulnerability severity level value. These values can be one of the following:

Native vulnerability severity level type	Examples
String	`WARNING`, `ERROR`, `Critical`, `Negligible`
Integer	`1`, `2`, `5`
CVSS v2.0 Rating	`(AV:N/AC:L/Au:S/C:P/I:P/A:N)`
CVSS v3.1 Qualitative Severity Rating	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`

To provide consistent vulnerability severity level values, the GitLab vulnerability analyzers convert from the above values to a standardized GitLab vulnerability severity level, as outlined in the following tables:

SAST

GitLab analyzer	Outputs severity levels?	Native severity level type	Native severity level example
`security-code-scan`	{check-circle} Yes	String	`CRITICAL`, `HIGH`, `MEDIUM` in analyzer version 3.2.0 and later. In earlier versions, hardcoded to `Unknown`.
`brakeman`	{check-circle} Yes	String	`HIGH`, `MEDIUM`, `LOW`
`sobelow`	{check-circle} Yes	Not applicable	Hardcodes all severity levels to `Unknown`
`nodejs-scan`	{check-circle} Yes	String	`INFO`, `WARNING`, `ERROR`
`flawfinder`	{check-circle} Yes	Integer	`0`, `1`, `2`, `3`, `4`, `5`
`eslint`	{check-circle} Yes	Not applicable	Hardcodes all severity levels to `Unknown`
`SpotBugs`	{check-circle} Yes	Integer	`1`, `2`, `3`, `11`, `12`, `18`
`gosec`	{check-circle} Yes	String	`HIGH`, `MEDIUM`, `LOW`
`bandit`	{check-circle} Yes	String	`HIGH`, `MEDIUM`, `LOW`
`phpcs-security-audit`	{check-circle} Yes	String	`ERROR`, `WARNING`
`pmd-apex`	{check-circle} Yes	Integer	`1`, `2`, `3`, `4`, `5`
`kubesec`	{check-circle} Yes	String	`CriticalSeverity`, `InfoSeverity`
`secrets`	{check-circle} Yes	Not applicable	Hardcodes all severity levels to `Critical`
`semgrep`	{check-circle} Yes	String	`error`, `warning`, `note`, `none`

Dependency Scanning

GitLab analyzer	Outputs severity levels?	Native severity level type	Native severity level example
`gemnasium`	{check-circle} Yes	CVSS v2.0 Rating and CVSS v3.1 Qualitative Severity Rating	`(AV:N/AC:L/Au:S/C:P/I:P/A:N)`, `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`

Container Scanning

GitLab analyzer	Outputs severity levels?	Native severity level type	Native severity level example
`container-scanning`	{check-circle} Yes	String	`Unknown`, `Low`, `Medium`, `High`, `Critical`

Fuzz Testing

All fuzz testing results are reported as Unknown. They should be reviewed and triaged manually to find exploitable faults to prioritize for fixing.

6.8 KiB Raw Blame History