-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unexpected severity if nvd
and source
don't have severity for vulnerability
#6714
Comments
@knqyf263 wdyt? |
It's intended now. NVD (and other vendors) frequently delays its analysis, while Red Hat usually assesses vulnerabilities quickly. Then, we used to have many vulnerabilities with the "unknown" severity. That's why we use the severity from Red Hat in the worst case, even if the scanned image is not based on Red Hat. We may want to show warnings if we take severity from different vendors. In addition, adding |
Got it! Thanks.
Let's start with log. |
The key issue I see here is that the link to Aqua's vulnerability database does not match the severity. The database link must point to something that uses the same score source as the reported score/severity. |
We try to collect all common information in https://avd.aquasec.com (i will check why site doesn't contain RedHat severity). |
Description
We use severity field if vendor severity doesn't contain
nvd
,ghsa
(forGHSA-xxxx-xxx
vulns) orsource
severity:trivy/pkg/vulnerability/vulnerability.go
Lines 112 to 134 in 696f2ae
But we fill severity field with the first severity found in the order and the next list:
This behavior can be confusing (take a look #6676).
Perhaps we need to stop using
severity
field in Trivy and perhaps deprecate this field.Discussed in #6676
The text was updated successfully, but these errors were encountered: