Xray collects scores and severities from two sources:
NVD: The National Vulnerability Database (NVD) which contains known vulnerabilities each with their CVSS score.
Security Advisory: Some open source operating systems have their own security trackers with further analysis of the vulnerability inside the operating system package.
Xray sends one severity field that is set according to the NVD or according to the OS Packages Security Advisories. The OS Packages Security Advisories may also provide their own severity and CVSS score of a vulnerability when identified in their OS-level packages, as described in Determining the Issue Severity Level for Operating Systems Packages.
This severity is now determined by the CVSS v3.0 score that is obtained from the NVD or from the Security Advisory Board. Xray will continue to support CVSS v2.0 score on top of CVSS v3.0 score. If the CVSS v3.0 score is not available, Xray will use the CVSS v2.0 score instead.
Score Range and Severity Levels
The scoring range is from 0-10, and the following are the vulnerabilities severity levels:
CVSS v2.0 Ratings | CVSS v3.0 Ratings | ||
|---|---|---|---|
Severity | Base Score Range | Severity | Base Score Range |
None | 0.0 | ||
Low | 0.0-3.9 | Low | 0.1-3.9 |
Medium | 4.0-6.9 | Medium | 4.0-6.9 |
High | 7.0-10.0 | High | 7.0-8.9 |
Critical | 9.0-10.0 | ||
You can set security rules according to the CVSS v3.0 score and severity to trigger violations, as described in Creating Xray Policies and Rules.