Trivy Parser Resulting Discrepancy in Severity and CVSS

[farhanardiya]

Bug description
When trivy parses the CVSS vector, it only considers the nvd CVSS score, meanwhile trivy may use other sources that is defined in the SeveritySource parameter
Below is the problematic code (dojo/tools/trivy/parser.py)

Below is the proposed code (please correct this if it is not right, it has not been tested)

                cvss = vuln.get("CVSS", None)
                cvssv3 = None
                if cvss is not None:
                    nvd = cvss.get("nvd", None)
                    severity_source = vuln.get("SeveritySource", None)
                    if severity_source != "nvd" and severity_source != None:
                        custom_vendor = cvss.get(severity_source, None)
                        if custom_vendor is not None:
                            cvssv3 = custom_vendor.get("V3Vector", None)
                    else:
                        if nvd is not None:
                            cvssv3 = nvd.get("V3Vector", None)

Steps to reproduce
Steps to reproduce the behavior:

1. Import a trivy scan result (with dependency vulnerabilities which does not use nvd as its SeveritySource)
2. Check on defectdojo web, it either uses the nvd cvss score or not show any score at all if nvd score is not available, even though there is another cvss data source

Expected behavior
The cvss score is synced with the severity, meaning taking the SeveritySource into account when obtaining the cvss score

Deployment method (select with an X)

• [ x] Docker Compose
• Kubernetes
• GoDojo

Environment information

• Operating System: Ubuntu 20.04
• DefectDojo version (see footer) or commit message: v. 2.24.4 ( release mode )

[manuel-sommer]

@farhanardiya , could you please provide a sample file, I can make a PR

[farhanardiya]

@manuel-sommer , here is a sample json file that you can use to import as a trivy scan result. The SeveritySource is "ghsa" with Severity "HIGH", but the parser will get the CVSS vector / score from nvd (9.8) which translates to "Critical" severity. The expected behavior is that it takes the CVSS score from "ghsa" (7.5), consistent with the Severity ("HIGH").

{
  "SchemaVersion": 2,
  "ArtifactName": "sbom.json",
  "ArtifactType": "cyclonedx",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "requirements.txt",
      "Class": "lang-pkgs",
      "Type": "pip",
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2023-37920",
          "PkgName": "certifi",
          "InstalledVersion": "2022.5.18.1",
          "FixedVersion": "2023.7.22",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2023-37920",
          "Ref": "pkg:pypi/certifi@2022.5.18.1",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory pip",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Apip"
          },
          "Title": "python-certifi: Removal of e-Tugra root certificate",
          "Description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-345"
          ],
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 7.5
            },
            "nvd": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
              "V3Score": 7.5
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2023-37920",
            "https://github.com/certifi/python-certifi",
            "https://github.com/certifi/python-certifi/commit/8fb96ed81f71e7097ed11bc4d9b19afd7ea5c909",
            "https://github.com/certifi/python-certifi/security/advisories/GHSA-xqr8-7jwr-rhp7",
            "https://github.com/pypa/advisory-database/tree/main/vulns/certifi/PYSEC-2023-135.yaml",
            "https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A",
            "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5EX6NG7WUFNUKGFHLM35KHHU3GAKXRTG/",
            "https://nvd.nist.gov/vuln/detail/CVE-2023-37920",
            "https://www.cve.org/CVERecord?id=CVE-2023-37920"
          ],
          "PublishedDate": "2023-07-25T21:15:00Z",
          "LastModifiedDate": "2023-08-12T06:16:00Z"
        }
      ]
    }
  ]
}

[manuel-sommer]

This can be closed.