Skip to main content

Severity Levels

Vulnerability Severity Level

Checkmarx SCA assigns a severity level to each vulnerability. The severity level represents the degree of risk posed by this vulnerability.

  • HIGH (RED)

  • MEDIUM (ORANGE)

  • LOW (GREY)

The severity level is determined primarily based on the CVSS score of the vulnerability in the National Vulnerability Database (NVD). If a vulnerability has a CVSS v3.1 score in NVD, that score is used; if it only has a CVSS 2.0 score in NVD, then that score is used. The vast majority of vulnerabilities have CVSS 3.1 scores, and all unique Cx vulnerabilities are ranked using the CVSS 3.1 system.

The risk level assigned to a package is equal to the severity level of the highest severity vulnerability existing in the package.