CVSS & EPSS Scoring
CodeStax uses industry-standard scoring systems to help you prioritize vulnerabilities.
CVSS — Common Vulnerability Scoring System
CVSS v3.1 provides a standardized way to rate the severity of security vulnerabilities on a scale of 0 to 10.
Score Ranges
| Range | Severity | Action |
|---|---|---|
| 9.0 - 10.0 | Critical | Fix immediately |
| 7.0 - 8.9 | High | Fix within current sprint |
| 4.0 - 6.9 | Medium | Schedule for next sprint |
| 0.1 - 3.9 | Low | Fix when convenient |
CVSS Metrics
CodeStax calculates CVSS scores using the full v3.1 vector, including:
- Attack Vector — Network, Adjacent, Local, Physical
- Attack Complexity — Low, High
- Privileges Required — None, Low, High
- User Interaction — None, Required
- Scope — Unchanged, Changed
- Impact — Confidentiality, Integrity, Availability
EPSS — Exploit Prediction Scoring System
EPSS scores represent the probability that a vulnerability will be exploited in the wild within the next 30 days.
CodeStax fetches real-time EPSS data from FIRST.org to give you actionable exploit intelligence.
How to Use EPSS
| EPSS Score | Meaning | Priority |
|---|---|---|
| > 0.5 (50%) | Very likely to be exploited | Critical priority |
| 0.1 - 0.5 | Moderate exploitation probability | High priority |
| 0.01 - 0.1 | Low but notable risk | Normal priority |
| < 0.01 | Unlikely to be exploited soon | Lower priority |
CVSS vs EPSS
| Aspect | CVSS | EPSS |
|---|---|---|
| Measures | Severity of the vulnerability | Likelihood of exploitation |
| Scale | 0-10 | 0-1 (probability) |
| Data source | Vulnerability characteristics | Real-world threat intelligence |
| Updates | Static per vulnerability | Updated daily |
Pro Tip: Use both scores together. A Critical CVSS vulnerability with a low EPSS score may be less urgent than a High CVSS vulnerability with a high EPSS score. CVSS tells you how bad it is; EPSS tells you how likely it is to be exploited.
Risk Scoring in CodeStax
For SCA findings, CodeStax computes a composite Risk Score (0-100) that combines:
| Factor | Weight | Description |
|---|---|---|
| CVSS | 40% | Base severity of the vulnerability |
| Fix Available | 30% | Whether a patched version exists (higher score if no fix) |
| Severity | 30% | Mapped severity level weight |
This risk score helps you prioritize which dependency vulnerabilities to fix first.