Severity Levels
Deptic uses the Common Vulnerability Scoring System (CVSS) to assign severity levels to detected vulnerabilities. When multiple CVSS versions are available (e.g., v2.0, v3.1, v4.0), Deptic always prefers the highest available version for calculation.
Classification mapping:
| Severity | Base Score | Description & Expected Action |
|---|---|---|
| CRITICAL | 9.0 - 10.0 | Vulnerability allows remote execution without authentication. Immediate action required. Recommended to block CI/CD pipelines. |
| HIGH | 7.0 - 8.9 | Significant vulnerability, often requiring elevated privileges or complex conditions. Should be patched within 72 hours. |
| MEDIUM | 4.0 - 6.9 | Moderate risk, usually requires local access or highly specific configurations. Add to the backlog for the next sprint. |
| LOW | 0.1 - 3.9 | Informational or theoretical vulnerabilities. Monitor and update when convenient. |
| UNKNOWN | N/A | The vulnerability database has published a CVE ID but has not yet assigned a CVSS score. |
How scores are derived:
The Base Score is calculated from three groups of metrics:
- Exploitability: Attack Vector, Attack Complexity, Privileges Required, User Interaction
- Impact: Confidentiality, Integrity, Availability (the CIA triad)
- Scope: Whether the vulnerability can affect resources beyond its immediate authorization scope