Skip to main content

SCA Risk Severity Levels

Severity Level for Risks

Checkmarx SCA assigns a severity level to each risk. The severity level represents the degree of threat posed by this risk. Possible values for severity level are:

  • HIGH


  • LOW


There are other factors that contribute to the urgency of remediating a vulnerability that are not reflected in the severity score, such as the degree of exploitability. You should consider all relevant factors when triaging results, see Remediating SCA Risks.

Severity Level by Risk Category

For Vulnerabilities, the severity level is determined primarily based on the CVSS score of the vulnerability in the National Vulnerability Database (NVD). If a vulnerability has a CVSS v3.1 score in NVD, that score is used; if it only has a CVSS 2.0 score in NVD, then that score is used. The vast majority of vulnerabilities have CVSS 3.1 scores, and all unique Cx vulnerabilities are ranked using the CVSS 3.1 system. Checkmarx SCA maps out the CVSS scores to Severity Levels as follows:

  • HIGH - 7.0-10.0

  • MEDIUM - 4.0-6.9

  • LOW - 0.0-3.9


Although NVD has a separate category, CRITICAL, for vulnerabilities with severity 9.0 - 10.0, Checkmarx SCA currently includes these in the HIGH category.

For Supply Chain, the severity level is derived from the risk score (which is designated by Checkmarx based on the assessment of our AppSec research team) using the same scale as for Vulnerabilities.

For Legal Risks, the severity level is derived from the Copyright Risk Score, with HIGH for level 6-10, MEDIUM for 4-5, and LOW for 1-3.

Package Risk Level

Checkmarx SCA assigns an overall Risk Level to each package. The risk level of a package is equal to the severity level of the highest severity risk existing in the package.