Since on the reports we catch vulnerabilities from CVSS v2 (High/ Medium/ Low), when the we catch it but with CVSS v3 we are not supossed to have the addicional Level “Critical”, for 9 to 10??
For both, I just see the hight level or severity is High. Why Critical does not appear also?
Yes, CVSS V3 inclues a “Critical” severity classification which is as you mentioned - from 9.0 to 10, however, this has not been implemented yet in GSA. At a quick glance, it looks like this file severity.jsx is where the conversion from severity score to classification happens before it is displayed. I will hopefully have time in the near future to correct this but if you beat me to it, feel free to submit a pull request with the modification. 