New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Trivy Parser Resulting Discrepancy in Severity and CVSS #9092
Comments
@farhanardiya , could you please provide a sample file, I can make a PR |
@manuel-sommer , here is a sample json file that you can use to import as a trivy scan result. The SeveritySource is "ghsa" with Severity "HIGH", but the parser will get the CVSS vector / score from nvd (9.8) which translates to "Critical" severity. The expected behavior is that it takes the CVSS score from "ghsa" (7.5), consistent with the Severity ("HIGH").
|
This can be closed. |
Bug description
When trivy parses the CVSS vector, it only considers the nvd CVSS score, meanwhile trivy may use other sources that is defined in the SeveritySource parameter
Below is the problematic code (dojo/tools/trivy/parser.py)
Below is the proposed code (please correct this if it is not right, it has not been tested)
Steps to reproduce
Steps to reproduce the behavior:
Expected behavior
The cvss score is synced with the severity, meaning taking the SeveritySource into account when obtaining the cvss score
Deployment method (select with an
X
)Environment information
The text was updated successfully, but these errors were encountered: