github.com/quay/claircore@v1.5.28/docs/concepts/severity_mapping.md (about) 1 # Severity Mapping 2 3 Claircore will normalize a security databases's severity string to a set of defined values. 4 Clients may use the `NormalizedSeverity` field on a `claircore.Vulnerability` to react to vulnerability severities without needing to know each security database's severity strings. 5 All strings used in the mapping tables are identical to the strings found within the relevant security database. 6 7 ## Claircore Severity Strings 8 The following are severity strings Claircore will normalize others to. 9 Clients can guarantee one of these strings will be associated with a claircore.Vulnerability. 10 11 - Unknown 12 - Negligible 13 - Low 14 - Medium 15 - High 16 - Critical 17 18 <!-- Filter to fix the tables: column -o \| -s \| -t --> 19 20 ## Alpine Mapping 21 22 The Alpine SecDB database does not provide severity information. 23 All vulnerability severities will be Unknown. 24 25 | Alpine Severity | Claircore Severity | 26 | - | - | 27 | * | Unknown | 28 29 ## AWS Mapping 30 31 The AWS UpdateInfo database provides severity information. 32 33 | AWS Severity | Claircore Severity | 34 | - | - | 35 | low | Low | 36 | medium | Medium | 37 | important | High | 38 | critical | Critical | 39 40 ## Debian Mapping 41 42 The Debian [security tracker] data provides severity information. 43 44 [security tracker]: https://security-tracker.debian.org/tracker/ 45 46 | Debian Severity | Claircore Severity | 47 | - | - | 48 | unimportant | Low | 49 | low | Medium | 50 | medium | High | 51 | high | Critical | 52 | * | Unknown | 53 54 ## Oracle Mapping 55 56 The Oracle OVAL database provides severity information. 57 58 | Oracle Severity | Claircore Severity | 59 | - | - | 60 | N/A | Unknown | 61 | LOW | Low | 62 | MODERATE | Medium | 63 | IMPORTANT | High | 64 | CRITICAL | Critical | 65 66 ## RHEL Mapping 67 68 The RHEL OVAL database provides severity information. 69 70 | RHEL Severity | Claircore Severity | 71 | - | - | 72 | None | Unknown | 73 | Low | Low | 74 | Moderate | Medium | 75 | Important | High | 76 | Critical | Critical | 77 78 ## SUSE Mapping 79 80 The SUSE OVAL database provides severity information. 81 82 | SUSE Severity | Claircore Severity | 83 | - | - | 84 | None | Unknown | 85 | Low | Low | 86 | Moderate | Medium | 87 | Important | High | 88 | Critical | Critical | 89 90 ## Ubuntu Mapping 91 92 The Ubuntu OVAL database provides severity information. 93 94 | Ubuntu Severity | Claircore Severity | 95 | - | - | 96 | Untriaged | Unknown | 97 | Negligible | Negligible | 98 | Low | Low | 99 | Medium | Medium | 100 | High | High | 101 | Critical | Critical | 102 103 ## Photon Mapping 104 105 The Photon OVAL database provides severity information. 106 107 | Photon Severity | Claircore Severity | 108 | - | - | 109 | Low | Low | 110 | Moderate | Medium | 111 | Important | High | 112 | Critical | Critical | 113 114 ## OSV Mapping 115 116 OSV provides severity information via CVSS vectors, when applicable. 117 These are normalized according to the [NVD qualitative rating scale](https://nvd.nist.gov/vuln-metrics/cvss). 118 If both v3 and v2 vectors are present, v3 is preferred. 119 120 ### CVSSv3 121 122 | Base Score | Claircore Severity | 123 | - | - | 124 | 0.0 | Negligible | 125 | 0.1-3.9 | Low | 126 | 4.0-6.9 | Medium | 127 | 7.0-8.9 | High | 128 | 9.0-10.0 | Critical | 129 130 ### CVSSv2 131 132 | Base Score | Claircore Severity | 133 | - | - | 134 | 0.0-3.9 | Low | 135 | 4.0-6.9 | Medium | 136 | 7.0-10.0 | High |