Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unexpected severity if nvd and source don't have severity for vulnerability #6714

Open
DmitriyLewen opened this issue May 17, 2024 Discussed in #6676 · 5 comments · May be fixed by #6726
Open

unexpected severity if nvd and source don't have severity for vulnerability #6714

DmitriyLewen opened this issue May 17, 2024 Discussed in #6676 · 5 comments · May be fixed by #6726

Comments

@DmitriyLewen
Copy link
Contributor

Description

We use severity field if vendor severity doesn't contain nvd, ghsa (for GHSA-xxxx-xxx vulns) or source severity:

trivy/pkg/vulnerability/vulnerability.go

Lines 112 to 134 in 696f2ae

func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, source dbTypes.SourceID) (string, dbTypes.SourceID) {
if vs, ok := vuln.VendorSeverity[source]; ok {
return vs.String(), source
}
// use severity from GitHub for all GHSA-xxx vulnerabilities
if strings.HasPrefix(vulnID, "GHSA-") {
if vs, ok := vuln.VendorSeverity[vulnerability.GHSA]; ok {
return vs.String(), vulnerability.GHSA
}
}
// Try NVD as a fallback if it exists
if vs, ok := vuln.VendorSeverity[vulnerability.NVD]; ok {
return vs.String(), vulnerability.NVD
}
if vuln.Severity == "" {
return dbTypes.SeverityUnknown.String(), ""
}
return vuln.Severity, ""
}

But we fill severity field with the first severity found in the order and the next list:

sources = []types.SourceID{NVD, RedHat, Debian, Ubuntu, Alpine, Amazon, OracleOVAL, SuseCVRF, Photon,
		ArchLinux, Alma, Rocky, CBLMariner, RubySec, PhpSecurityAdvisories, NodejsSecurityWg, GHSA, GLAD, OSV, K8sVulnDB,
	}
func getSeverity(details map[types.SourceID]types.VulnerabilityDetail) types.Severity {
	for _, source := range sources {
		switch d, ok := details[source]; {
		case !ok:
			continue
		case d.CvssScoreV3 > 0:
			return scoreToSeverity(d.CvssScoreV3)
		case d.CvssScore > 0:
			return scoreToSeverity(d.CvssScore)
		case d.SeverityV3 != 0:
			return d.SeverityV3
		case d.Severity != 0:
			return d.Severity
		}
	}
	return types.SeverityUnknown
}

This behavior can be confusing (take a look #6676).
Perhaps we need to stop using severity field in Trivy and perhaps deprecate this field.

Discussed in #6676
@DmitriyLewen
Copy link
Contributor Author

@knqyf263 wdyt?

@knqyf263
Copy link
Collaborator

It's intended now. NVD (and other vendors) frequently delays its analysis, while Red Hat usually assesses vulnerabilities quickly. Then, we used to have many vulnerabilities with the "unknown" severity. That's why we use the severity from Red Hat in the worst case, even if the scanned image is not based on Red Hat.

We may want to show warnings if we take severity from different vendors. In addition, adding --severity-src or something like that might help users who don't want to use severity from other vendors.

@DmitriyLewen
Copy link
Contributor Author

It's intended now. NVD (and other vendors) frequently delays its analysis, while Red Hat usually assesses vulnerabilities quickly. Then, we used to have many vulnerabilities with the "unknown" severity. That's why we use the severity from Red Hat in the worst case, even if the scanned image is not based on Red Hat.

Got it! Thanks.

We may want to show warnings if we take severity from different vendors. In addition, adding --severity-src or something like that might help users who don't want to use severity from other vendors.

Let's start with log.

@DmitriyLewen DmitriyLewen linked a pull request May 20, 2024 that will close this issue
Open
6 tasks
@SanjayVas
Copy link

The key issue I see here is that the link to Aqua's vulnerability database does not match the severity. The database link must point to something that uses the same score source as the reported score/severity.

@DmitriyLewen
Copy link
Contributor Author

We try to collect all common information in https://avd.aquasec.com (i will check why site doesn't contain RedHat severity).
If you need more information about vulnerability - you can use json format.
It contains info about DataSource (advisory database), VendorSeverity, CVSS(for all vendors), References, etc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

refactor: add warning if severity not from vendor (or NVD or GH) is used DmitriyLewen/trivy
3 participants
@SanjayVas @knqyf263 @DmitriyLewen