Severity

The paper To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild by Wickert et al. provides a rough categorization into three severities specific to vulnerabilities that CogniCrypt is able to detect. We used this mapping as a basis to directly map specific sections of CrySL rules to five different levels that conform to SonarQube's score of Info, Low, Medium, High, and Blocker However, as it proved to be more difficult than expected to map individual constraints, operations, and requirements to the given vulnerabilities, this mapping is incomplete in some places. It will then default to the severity Medium.

In SonarQube the impact of issues is graded in three aspects also referred to as software qualities: Security, Reliability, and Maintainability. For each quality a separate severity can be set. As CogniCrypt is a security-specific analysis tool, we reported our severity score as the impact on the software quality Security.