Vulnerability risk assessment data
Use vulnerability risk data to help assess the potential impact to your environment.
-
Severity: Each vulnerability is assigned a standardized GitLab severity value.
-
For vulnerabilities in the Common Vulnerabilities and Exposures (CVE) catalog, the following data can be retrieved by using a GraphQL query:
- Likelihood of exploitation: Exploit Prediction Scoring System (EPSS) score.
- Existence of known exploits: Known Exploited Vulnerabilities (KEV) status.
Use this data to help prioritize remediation and mitigation actions. For example, a vulnerability with medium severity and a high EPSS score may require mitigation sooner than a vulnerability with a high severity and a low EPSS score.
EPSS
- Introduced in GitLab 17.4 with flags named
epss_querying
(in issue 470835) andepss_intgestion
(in issue 467672). Disabled by default. - Renamed to
cve_enrichment_querying
andcve_enrichment_ingestion
respectively and enabled on GitLab.com in GitLab 17.6.
The EPSS score provides an estimate of the likelihood a vulnerability in the CVE catalog will be exploited in the next 30 days. EPSS assigns each CVE a score between 0 to 1 (equivalent to 0% to 100%).
KEV
- Introduced in GitLab 17.7.
The KEV catalog lists vulnerabilities that are known to have been exploited. You should prioritize the remediation of vulnerabilities in the KEV catalog above other vulnerabilities. Attacks using these vulnerabilities have occurred and the exploitation method is likely known to attackers.
Query risk assessment data
Use the GraphQL API to query the severity, EPSS, and KEV values of vulnerabilities in a project.
The Vulnerability
type in the GraphQL API has a cveEnrichment
field, which is populated when the
identifiers
field contains a CVE identifier. The cveEnrichment
field contains the CVE ID, EPSS
score, and KEV status for the vulnerability. EPSS scores are rounded to the second decimal digit.
For example, the following GraphQL API query returns all vulnerabilities in a given project and
their CVE ID, EPSS score, and KEV status (isKnownExploit
). Run the query in the
GraphQL explorer or any other GraphQL
client.
{
project(fullPath: "<full/path/to/project>") {
vulnerabilities {
nodes {
severity
identifiers {
externalId
externalType
}
cveEnrichment {
epssScore
isKnownExploit
cve
}
}
}
}
}
Example output:
{
"data": {
"project": {
"vulnerabilities": {
"nodes": [
{
"severity": "CRITICAL",
"identifiers": [
{
"externalId": "CVE-2019-3859",
"externalType": "cve"
}
],
"cveEnrichment": {
"epssScore": 0.2,
"isKnownExploit": false,
"cve": "CVE-2019-3859"
}
},
{
"severity": "CRITICAL",
"identifiers": [
{
"externalId": "CVE-2016-8735",
"externalType": "cve"
}
],
"cveEnrichment": {
"epssScore": 0.94,
"isKnownExploit": true,
"cve": "CVE-2016-8735"
}
},
]
}
}
},
"correlationId": "..."
}
Vulnerability Prioritizer
Use the Vulnerability Prioritizer CI/CD component to help prioritize a project’s vulnerabilities (namely CVEs). The component outputs a prioritization report in the vulnerability-prioritizer
job’s output.
Vulnerabilities are listed in the following order:
- Vulnerabilities with known exploitation (KEV) are top priority.
- Higher EPSS scores (closer to 1) are prioritized.
- Severities are ordered from
Critical
toLow
.
Only vulnerabilities detected by dependency scanning and container scanning are included because the Vulnerability Prioritizer CI/CD component requires data only available in Common Vulnerabilities and Exposures (CVE) records. Moreover, only detected (Needs triage) and confirmed vulnerabilities are shown.
To add the Vulnerability Prioritizer CI/CD component to your project’s CI/CD pipeline, see the Vulnerability Prioritizer documentation.