Checkmarx One Rating System for Severity and Risk Level
Checkmarx One assigns a Severity level for each vulnerability discovered by the Checkmarx One scanners:
SAST for static code analysis
API Security for static API Security analysis
SCA for open source packages analysis
IaC Security for static code analysis of Infrastructure as code.
The severity level assists to prioritize the need to mitigate the various threats that are discovered in the code. An initial severity level is assigned by Checkmarx One for each vulnerability, based on the expertise in assessing potential threats.
Users have the ability to manually adjust the severity level of specific vulnerabilities as they see fit, see Managing (Triaging) Vulnerabilities.
In addition, Checkmarx One assigns an overall Risk level to each Project and Application based on the number of vulnerabilities discovered in the code and their severity.
The risk level indicates the overall risk of the software being compromised by malicious attacks. This gives a good indication of how AppSec methodology is applied in the code development life cycle.
Severity Level
The following is a description of the possible severity levels in Checkmarx One:
High – A vulnerability that constitutes a very serious weakness and is an easy target for an attacker. This includes vulnerabilities that enable attackers accessing sensitive data, bypassing access controls, executing nefarious commands on the host server etc.
The following are several examples of High severity vulnerabilities that are covered by the SAST scanner: XSS, SQL Injection, Deserialization Vulnerability, and Second Order Command Injection.
The vulnerable code sequence should be modified immediately to prevent potential attacks.
Medium – A vulnerability that constitutes a significant weakness which can be exploited by a skilled attacker. This includes vulnerabilities that enable attackers modifying application data, accessing restricted directories, redirecting to an untrusted site, accessing sensitive data etc.
The following are several examples of Medium severity vulnerabilities that are covered by the SAST scanner: Parameter Tampering, Path Traversal, and Log Forging.
The vulnerable code sequence should be modified once all High severity vulnerabilities are finished remediating.
Low – A vulnerability that indicates a lack of implementation of adequate security measures. The inadequacy of the security measures that are in place could possibly be exploited by a sophisticated attacker. This includes vulnerabilities that enable attackers decrypting secure transmissions, compromising user accounts, executing brute-force attacks etc.
The following are several examples of Low severity vulnerabilities that are covered by the SAST scanner: Weak Crypto, Insecure Cookie, and Login Without Audit.
To fully protect sensitive apps, it is recommended to remediate these vulnerabilities after attending to all the vulnerabilities categorized with a higher severity level.
Info (Only for SAST scanner) - A vulnerability that indicates a lack of compliance with security best practices. The inadequacy of the security measures that are in place could possibly be exploited by a sophisticated attacker. This includes vulnerabilities that enable attackers to upload content to a website, access sensitive information, “clickjack” a website etc.
The following are some examples of Info level vulnerabilities that are covered by the SAST scanner: X-XSS-Protection, Application Entry Point, and Debug Mode Enabled.
To achieve the highest level of application security for critical apps, you may want to remediate these vulnerabilities after attending to all vulnerabilities of greater severity.
Relationship Between Severity Level and CVSS Score
For vulnerabilities identified by the SCA scanner, Checkmarx One shows the NVD CVSS Score, and the Severity Level is designated based on NVD mapping of CVSS Score to Severity Level (except that we don't differentiate between High and Critical risks). For more info about SCA severity levels, see SCA Risk Severity Levels.
For vulnerabilities identified by the SAST, IaC Security and API Security scanners, Checkmarx One does not show the NVD CVSS Score and the Severity Level is not directly related to the NVD designation, rather it is assigned by the Checkmarx One AppSec research team. The reason for this is that these scanners are static analysis tools for identifying weaknesses in code that cause vulnerabilities, while CVSS is a dynamic scoring system for known and tested vulnerabilities. Therefore, SAST takes into consideration the context and scope of the source code as well as a range of dynamic factors when determining the severity level for each vulnerability.
Risk Level
The following is a description of the possible Risk levels in Checkmarx One:
High – The project contains one or more severe vulnerabilities that expose the code to imminent threat of being compromised by malicious attacks.
Medium – The project contains one or more moderately severe vulnerabilities that expose the code to possible threat of being compromised by malicious attacks.
Low – The project contains one or more security weaknesses that could possibly be exploited to compromise the code security.