How severity is calculated Severity definitions

Code issue severity in Amazon Q Developer code reviews

Amazon Q defines the severity of the code issues detected in your code so you can prioritize what issues to address and track the security posture of your application. The following sections explain what methods are used to determine the severity of code issues and what each level of severity means.

How severity is calculated

The severity of a code issue is determined by the detector that generated the issue. Detectors in the Amazon Q Detector Library are each assigned a severity using the Common Vulnerability Scoring System (CVSS). The CVSS considers how the finding can be exploited in its context (for example, can it be done over internet, or is physical access required) and what level of access can be obtained.

The following table outlines how severity is determined based on the level of access and level of effort required for a bad actor to successfully attack a system.

	Level of Effort
	Not exploitable	Requires access to system	Internet with high LoE	Over internet
Level of access
Full control of system or its output	N/A	High	Critical	Critical
Access to sensitive information	N/A	Medium	High	High
Can crash or slow down the system	Low	Low	Medium	Medium
Provides additional security	Info	Info	Low	Low
Best practice	Info	N/A	N/A	N/A

Severity definitions

The severity levels are defined as follows.

Critical – The code issue should be addressed immediately to avoid it escalating.

Critical code issues suggest that an attacker can gain control of the system or modify its behavior with moderate effort. It is recommended that you treat critical findings with the utmost urgency. You also should consider the criticality of the resource.

High – The code issue must be addressed as a near-term priority.

High severity code issues suggest that an attacker can gain control of the system or modify its behavior with high effort. It is recommended that you treat a high severity finding as a near-term priority and that you take immediate remediation steps. You also should consider the criticality of the resource.

Medium – The code issue should be addressed as a midterm priority.

Medium severity findings can lead to crash, unresponsiveness, or unavailability of the system. It is recommended that you investigate the implicated code at your earliest convenience. You also should consider the criticality of the resource.

Low – The code issue does not require action on its own.

Low severity findings suggest programming errors or anti-patterns. You do not need to take immediate action on low severity findings, but they can provide context when you correlate them with other issues.

Informational – No recommended action.

Informational findings include suggestions for quality or readability improvements, or alternative API operations. No immediate action is necessary.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Filtering code issues

Generating documentation (/doc)