Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: add warning if severity not from vendor (or NVD or GH) is used #6726

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

refactor: add warning if severity not from vendor (or NVD or GH) is used #6726

wants to merge 4 commits into from

Conversation

DmitriyLewen
Copy link
Contributor

@DmitriyLewen DmitriyLewen commented May 20, 2024
edited

Description

See #6714 (comment)

Example:
изображение

Related issues

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen DmitriyLewen self-assigned this May 20, 2024
@DmitriyLewen DmitriyLewen marked this pull request as ready for review May 20, 2024 07:20
knqyf263
knqyf263 reviewed May 28, 2024
View reviewed changes
pkg/vulnerability/vulnerability.go Outdated
@@ -130,6 +130,7 @@ func (c Client) getVendorSeverity(vulnID string, vuln *dbTypes.Vulnerability, so
return dbTypes.SeverityUnknown.String(), ""
}

log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("CVE", vulnID))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not necessarily CVE-ID.

Suggested change
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("CVE", vulnID))
log.Warn("Vendor and NVD don't have severity level. Severity from another vendor is used (see `VendorSeverity` in `json` format).", log.String("vulnerability-id", vulnID))

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Vendor is unclear. We may want to show the source (dbTypes.SourceID).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about this, but there is 1 problem with this.
We fill severity filed in trivy-db:
https://github.com/aquasecurity/trivy-db/blob/b8fe1376ffcdc69fe454f0a8a481ab485e47aea5/pkg/vulnsrc/vulnerability/vulnerability.go#L92-L108

Therefore, we don't have info about vendor for this severity.

We can only check vendorSeverity and detect vendor with same severity.
But if 2 vendors use this severity, we may make mistake in our choice

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean, we should say "Debian and NVD don't have severity" when scanning a Debian image and "Ubuntu and NVD don't have severity" when scanning an Ubuntu image. We need to consider what should be displayed with language-specific packages, though.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand you now.
We can use dataSource.Name (see :
изображение

It also works for language-specific packages

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@knqyf263 knqyf263 knqyf263 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@DmitriyLewen DmitriyLewen

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

unexpected severity if nvd and source don't have severity for vulnerability
2 participants
@DmitriyLewen @knqyf263