Snyk created a Priority Score to make the prioritization of issues as quick and easy as possible, ensuring the highest-risk issues have the highest score.
Snyk's security group found a significant correlation between trending vulnerabilities and exploits or proof of concept's that can be found in the wild. Social trends are calculated and shown for all issues, vulnerabilities and licenses and range from 0 to 1,000 (0 is considered low risk and 1,000 is considered critical). This gives users a high degree of granularity that reflects the many considerations taken into account. The granularity avoids having too many issues ending up with the same score so users can determine priority at a glance with a high degree of accuracy.
For each issue, Snyk processes and weighs several factors in a proprietary algorithm, to produce the score for that issue.
Currently, these factors include:
- Base severity: using Snyk's Severity levels: and CVSS scores for that issue.
- Exploit Maturity: determined by Snyk’s industry-leading security team using manual and automated methods to track which vulnerabilities are exploitable, and to what extent.
- Reachability: by looking at the code paths called within a project, Snyk identifies which vulnerabilities are reachable from the code.
- Fixability (availability of a fix): without a safer version to upgrade to, or a Snyk patch available, developers must either fix the code themselves or use an alternative package. So vulnerabilities with fixes are given higher priorities.
- Time: new vulnerabilities are likely to be an increased risk, so increasing priority score.
- Social Trends: Snyk monitors mentions of known vulnerabilities in Twitter, calculating the trend of tweets and reactions.
Scores can be seen on each issue in the projects view, with all issues now sorted by the Priority Score, to show you the most pressing issues first.
Issues can be filtered on the left.
The Issues tab in the reports includes the Priority Score as it's own sortable column. By default the table is already sorted by the score, to show you the most pressing issues first.
Issues can also be filtered by the score.
Various issue-related API calls now include the scores in the response, and support filtering by the score.
Read more about the relevant API calls: