CVSS 4.0 support
## TL;DR
Add CVSS 4.0 scoring support across GitLab's vulnerability management pipeline, from advisory ingestion through to display in the vulnerability report and detail page, using V4 \> V3 \> V2 precedence.
## Overview
CVSS 4.0 was released on November 1, 2023. GitLab currently only ingests and displays CVSS v2 and v3.x scores. While the upstream advisory data sources (GLAD, PMDB) already contain v4 vectors, the GitLab instance does not yet ingest them into the advisory database or propagate them to vulnerability findings.
> The following MR has been kindly created by an external contributor and should serve as a starting point for this work: https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197826+
## Business Value
- This is a required KTLO/maintenance item to ensure GitLab continues to provide basic parity with all security vendors. Without CVSS 4.0 support, GitLab's vulnerability data falls behind the industry standard.
- Customers have reported vulnerabilities displaying incorrect severity because GitLab ignores v4.0 data.
## Success Criteria
- [ ] Vulnerabilities with CVSS 4.0 vectors display the correct severity (no more "Unknown" for v4-only CVEs) in both the vulnerability report severity column and the vulnerability detail page
- [ ] CVSS version and score are visible in both the vulnerability report severity column and the vulnerability detail page
- [ ] All available CVSS versions (v2, v3.x, v4.0) are accessible via the `+N more` expandable link in the vulnerability report list.
- [ ] There is a v4 \> v3 \> v2 precedence
- [ ] No breaking changes: existing vulnerabilities with only v2/v3 scores continue to display correctly
- [ ] ~~Risk factors on the vulnerability detail page are visually grouped per the approved design direction~~ -- will be part of implementation of the broader vulnerability detail page redesign (https://gitlab.com/gitlab-org/gitlab/-/work_items/592824+)
## Scope
### In scope
###### _Backend_
_(land existing work from !197826): The external contributor MR contains a complete backend implementation that is \~90% ready. The remaining work is: fix a failing test, update the stale migration timestamp, rebase, code review, and merge. This covers:_
- [ ] DB migration: `cvss_v4` text column on `pm_advisories`
- [ ] Advisory model: attribute `:cvss_v4` + validation for v4 vectors
- [ ] AdvisoryIngestionTask: pass `cvss_v4` during persistence (currently silently dropped)
- [ ] VulnerabilityScanning::Advisory: carry `cvss_v4` through to finding builder
- [ ] FindingBuilder: include v4 in cvss_vectors_with_vendor (V4 \> V3 \> V2) and use it for severity
- [ ] JSON schema + validator updates
- [ ] Checkpoint-removal migration (forces re-ingestion of advisory data with v4 vectors on upgrade)
#### _Frontend_
- [ ] Vulnerability report: there is a version precedence logic - V4 \> V3 \> V2
- [ ] Vulnerability report: show primary CVSS version, "+N more" overflow for additional versions - (https://gitlab.com/groups/gitlab-org/-/work_items/20299#2-show-more-risk-factors-by-default)
- [ ] Vulnerability report: updated severity column design with reordered risk factors and expandable section - (https://gitlab.com/groups/gitlab-org/-/work_items/20299#2-show-more-risk-factors-by-default)
- [ ] Vulnerability detail page: existing CVSS section respects V4 \> V3 \> V2 precedence
- [ ] JSON schema validation for CVSS 4.0 vector strings
### Out of scope
- [ ] User preference selector for CVSS version: Deprioritized ("death-by-configuration-toggle")
- [ ] Risk score calculation / combined risk scoring: Tracked separately in #551239
- [ ] Full vulnerability detail page redesign (right-column layout, Design Proposal #3): Larger initiative, to be done iteratively
- [ ] Filter by CVSS version (Design Proposal #1): Deferred; includes EPSS/KEV filters which expand scope
- [ ] PMDB v3 data format: Deprioritized in favor of checkpoint-removal migration
- [ ] Backporting to older GitLab versions: Vulnerabilities update naturally on next scan
- [ ] Vulnerability detail page (single report): CVSS - show all available versions (will be implemented as part of https://gitlab.com/gitlab-org/gitlab/-/work_items/592824+
- [ ] Vulnerability detail page: Risk-factors visual container (deferred; no design was created - resource: [#18697 comment](https://gitlab.com/groups/gitlab-org/-/work_items/18697/#note_2949379664))
## Timeline & Milestones
#### Key milestones
- [x] Phase 1: Backend: Merge already existing work (!197826) and checkpoint-removal migration merged
- [x] Phase 2: Frontend: CVSS precedence logic and vulnerability report updated
- [ ] _~~Phase 3: Frontend: Vulnerability detail page updated with all versions and risk-factors container -~~ - See:_
- [ ] Phase 3: Update documentation
## Dependencies & Blockers
| Type | Description | Status |
|------|-------------|--------|
| | GLAD advisories contain v4 vectors ([#557724](https://gitlab.com/gitlab-org/gitlab/-/issues/557724)) | |
| | PMDB ingests v4 vectors ([#579333](https://gitlab.com/gitlab-org/gitlab/-/issues/579333)) | ~"workflow::complete" |
| | Security Report Schemas support v4 ([#555401](https://gitlab.com/gitlab-org/gitlab/-/issues/555401)) | ~"workflow::complete" |
| | Backend: GitLab instance does not yet ingest `cvss_v4` from advisories into findings | |
| | Investigate: CVSS empty array bug on vulnerability detail page (reported by @svedova, Jul 2025) | |
## Deliverables
All deliverables should be listed directly under this section. Use milestones and labels (e.g. \~"Phase 1", \~"Phase 2") to group work and track progress clearly across the epic.
<table>
<tr>
<th>Title</th>
<th>State</th>
<th>Milestone</th>
<th>Assignee</th>
</tr>
<tr>
<td>
_Phase 1:_
https://gitlab.com/groups/gitlab-org/-/work_items/21184+
* [x] https://gitlab.com/gitlab-org/gitlab/-/issues/592007+
* [x] https://gitlab.com/gitlab-org/gitlab/-/work_items/592010+
</td>
<td>
~"workflow::complete"
</td>
<td>
%"18.10" and %"18.11"
</td>
<td>
@charlieeekroon
</td>
</tr>
<tr>
<td>
_Phase 2:_
* [x] https://gitlab.com/gitlab-org/gitlab/-/issues/592011+
</td>
<td>
~"workflow::verification"
</td>
<td>
%"18.11"
</td>
<td>
@charlieeekroon
</td>
</tr>
<tr>
<td>
_~~Phase 3:~~_
~~Frontend: Vulnerability detail page updated with all versions and risk-factors container~~
* [ ] ~~https://gitlab.com/gitlab-org/gitlab/-/work_items/592012+~~
* [ ] ~~https://gitlab.com/gitlab-org/gitlab/-/work_items/592013+~~
</td>
<td>
Out of scope for this epic. Will be part of broader vulnerability detail page redesign - https://gitlab.com/gitlab-org/gitlab/-/work_items/592824
</td>
<td></td>
<td></td>
</tr>
<tr>
<td>
_Phase 4:_
Update documentation
* [ ] https://gitlab.com/gitlab-org/gitlab/-/issues/592014+
</td>
<td>
~"workflow::ready for development"
</td>
<td>
%"18.11"
</td>
<td></td>
</tr>
</table>
## Decision Log
Track key decisions to avoid rehashing discussions
| Date | Decision | Rationale | Owner |
|------|----------|-----------|-------|
| 28-7-2025 | No backpropagation of v4 to existing vulns | Vulns update naturally on the next scan | |
| 11-12-2025 | Version precedence: V4 \> V3 \> V2 | Support broader adoption of v4; v3/v2 as fallbacks | |
| 11-12-2025 | Expose all CVSS versions, not just primary | | |
| 11-12-2025 | User preference selector out of scope | Avoid configuration bloat | |
| 11-12-2025 | Use checkpoint-removal migration instead of PMDB v3 | Simpler path; forces re-ingestion on upgrade | |
| 9-12-2025 | Full detail page redesign out of scope | Separate and bigger project - resource: https://gitlab.com/groups/gitlab-org/-/epics/18697#note_2942888397+ | @mclausen35 |
| 11-12-2025 | Lightweight risk-factors container in scope | Small cosmetic win toward vision design - resource: https://gitlab.com/groups/gitlab-org/-/work_items/18697#note_2957613924 | @mclausen35 |
| 01-04-2026 | Vulnerability detail page redesign and risk-factors container deferred to https://gitlab.com/gitlab-org/gitlab/-/work_items/592824+ | Design Proposal 3 from [&20299](https://gitlab.com/groups/gitlab-org/-/work_items/20299) moved to broader redesign initiative; no standalone design was created for this epic | @beckalippert |
## Resources
- Design: See https://gitlab.com/groups/gitlab-org/-/epics/20299+
* Follow up design on vulnerability detail page: https://gitlab.com/gitlab-org/gitlab/-/work_items/592824+
- External contributor MR: [!197826 - Add support for CVSS 4.0](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/197826)
- Documentation: \[link\]
Leverage external contributor MR as a starting point: MR gitlab!197826
# Release Post
Gitlab now supports CVSS version 4.0. A CVSS score reflects a numerical score between 1-10 which reflects a vulnerability severity and is based on the vulnerabilities specific characteristics.This version update provides increased granularity for base metrics, a new supplemental metric group, and a different methodology for determining severity and more. GitLab vulnerability severities will reflect this new scoring model. CVSS scores are available in the severity column of the vulnerability report.
epic