-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor: add warning if severity not from vendor (or NVD or GH) is used #6726
base: main
Are you sure you want to change the base?
refactor: add warning if severity not from vendor (or NVD or GH) is used #6726
Conversation
pkg/vulnerability/vulnerability.go
Outdated
@@ -130,6 +130,7 @@ func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, so | |||
return dbTypes.SeverityUnknown.String(), "" | |||
} | |||
|
|||
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("CVE", vulnID)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not necessarily CVE-ID.
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("CVE", vulnID)) | |
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("vulnerability-id", vulnID)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Vendor
is unclear. We may want to show the source (dbTypes.SourceID).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought about this, but there is 1 problem with this.
We fill severity
filed in trivy-db
:
https://github.com/aquasecurity/trivy-db/blob/b8fe1376ffcdc69fe454f0a8a481ab485e47aea5/pkg/vulnsrc/vulnerability/vulnerability.go#L92-L108
Therefore, we don't have info about vendor for this severity.
We can only check vendorSeverity
and detect vendor with same severity.
But if 2 vendors use this severity, we may make mistake in our choice
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean, we should say "Debian and NVD don't have severity" when scanning a Debian image and "Ubuntu and NVD don't have severity" when scanning an Ubuntu image. We need to consider what should be displayed with language-specific packages, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
…ndor-severity-missing-log
Description
See #6714 (comment)
Example:
Related issues
nvd
andsource
don't have severity for vulnerability #6714Checklist