Priorities seem to be always shown in the Debian context

[16m]

TL;DR: API returns vulnerabilities considered low by Ubuntu (when I ask for high). Not sure if existing issues like #19 or #54 cover entirely this problem.

Let's say I query /v1/vulnerabilities/CVE-2015-5277 to get a vulnerability's information. Answer:

{"ID":"CVE-2015-5277","Link":"https://security-tracker.debian.org/tracker/CVE-2015-5277","Priority":"High","Description":"The get_contents function in nss_files/files-XXX.c in the Name Service Switch (NSS) in GNU C Library (aka glibc or libc6) before 2.20 might allow local users to cause a denial of service (heap corruption) or gain privileges via a long line in the NSS files database.","AffectedPackages":[{"OS":"debian:9","Name":"glibc","AllVersions":false,"BeforeVersion":"2.21-1"},{"OS":"debian:unstable","Name":"glibc","AllVersions":false,"BeforeVersion":"2.21-1"},{"OS":"ubuntu:14.04","Name":"eglibc","AllVersions":true,"BeforeVersion":""},{"OS":"debian:8","Name":"glibc","AllVersions":true,"BeforeVersion":""}]}

1. Both Link and Priority fields are shown for Debian. The same vulnerability has a different priority in the Ubuntu CVE tracker. So the same vulnerability can be assigned different priorities by the different trackers.
2. When querying /v1/layers/{ID}/vulnerabilities with the default minimumPriority (High) using an image based on Ubuntu 14.04, the API will return vulnerabilities that are considered having Low or Medium priorities by the Ubuntu CVE tracker.

I am wondering if this behaviour have been chosen for simplicity, or if there is something I missed. It would be nice if the priority for a vulnerability reflects the OS on which our image is based.

[Quentin-M]

Hi,

Thanks for your report.

Yes, this is a known issue actually (which I consider major) and is basically tracked by #19.
#54 will fix it as soon as it will be released, along with other important features.

Work in progress can be found at Quentin-M/clair/sql.