GHSA CVE-2024-50379 has 7.2 V3Score but trivy has 9.8 V3Score

[dev-sca]

IDs

CVE-2024-50379

Description

I execute trivy via "trivy sbom <my application sbom path> --format json -o output.json"
and I found my application's vulnerability CVE-2024-50379 has HIGH severity with ghsa source

        {
          "VulnerabilityID": "CVE-2024-50379",
          "PkgID": "org.apache.tomcat.embed:tomcat-embed-core:10.1.5",
          "PkgName": "org.apache.tomcat.embed:tomcat-embed-core",
          "PkgIdentifier": {
            "PURL": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.5",
            "UID": "25b6d6d3048811c3",
            "BOMRef": "pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.1.5"
          },
          "InstalledVersion": "10.1.5",
          "FixedVersion": "11.0.2, 10.1.34, 9.0.98",
          "Status": "fixed",
          "Layer": {},
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2024-50379",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Maven",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Amaven"
          },
          "Title": "tomcat: RCE due to TOCTOU issue in JSP compilation",
          "Description": "Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.\n\nUsers are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-367"
          ],
          "VendorSeverity": {
            "amazon": 3,
            "bitnami": 4,
            "ghsa": 3,
            "photon": 4,
            "redhat": 2
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            },
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 9.8
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "V3Score": 8.1
            }
          },
          "References": [
            "http://www.openwall.com/lists/oss-security/2024/12/17/4",
            "http://www.openwall.com/lists/oss-security/2024/12/18/2",
            "https://access.redhat.com/security/cve/CVE-2024-50379",
            "https://github.com/apache/tomcat",
            "https://github.com/apache/tomcat/commit/05ddeeaa54df1e2dc427d0164bedd6b79f78d81f",
            "https://github.com/apache/tomcat/commit/43b507ebac9d268b1ea3d908e296cc6e46795c00",
            "https://github.com/apache/tomcat/commit/631500b0c9b2a2a2abb707e3de2e10a5936e5d41",
            "https://github.com/apache/tomcat/commit/684247ae85fa633b9197b32391de59fc54703842",
            "https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2d2",
            "https://github.com/apache/tomcat/commit/cc7a98b57c6dc1df21979fcff94a36e068f4456c",
            "https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r",
            "https://nvd.nist.gov/vuln/detail/CVE-2024-50379",
            "https://security.netapp.com/advisory/ntap-20250103-0003",
            "https://security.netapp.com/advisory/ntap-20250103-0003/",
            "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.34",
            "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.2",
            "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.98",
            "https://www.cve.org/CVERecord?id=CVE-2024-50379"
          ],
          "PublishedDate": "2024-12-17T13:15:18.81Z",
          "LastModifiedDate": "2025-01-03T12:15:26.403Z"
        },

but ghsa has 9.8 score which should be CRITICAL
so I look up ghsa CVE-2024-50379, and I found it's not 9.8 but 7.2

Reproduction Steps

sbom <my application sbom path> --format json -o output.json

Target

SBOM

Scanner

Vulnerability

Target OS

Windows

Debug Output

2025-02-28T12:27:26+09:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-02-28T12:27:26+09:00       DEBUG   Cache dir       dir="C:\\Users\\Yong\\AppData\\Local\\trivy"
2025-02-28T12:27:26+09:00       DEBUG   Cache dir       dir="C:\\Users\\Yong\\AppData\\Local\\trivy"
2025-02-28T12:27:26+09:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-02-28T12:27:26+09:00       DEBUG   Ignore statuses statuses=[]
2025-02-28T12:27:26+09:00       DEBUG   DB update was skipped because the local DB is the latest
2025-02-28T12:27:26+09:00       DEBUG   DB info schema=2 updated_at=2025-02-28T00:25:40.860438929Z next_update=2025-03-01T00:25:40.860438759Z downloaded_at=2025-02-28T03:18:05.2224316Z
2025-02-28T12:27:26+09:00       DEBUG   [pkg] Package types     types=[os library]
2025-02-28T12:27:26+09:00       DEBUG   [pkg] Package relationships     relationships=[unknown root direct indirect]
2025-02-28T12:27:26+09:00       INFO    [vuln] Vulnerability scanning is enabled
2025-02-28T12:27:26+09:00       DEBUG   Enabling misconfiguration scanners      scanners=[]
2025-02-28T12:27:26+09:00       DEBUG   Initializing scan cache...      type="memory"
2025-02-28T12:27:26+09:00       INFO    Detected SBOM format    format="cyclonedx-json"
2025-02-28T12:27:26+09:00       DEBUG   Unmarshalling CycloneDX JSON...
2025-02-28T12:27:26+09:00       DEBUG   OS is not detected.
2025-02-28T12:27:26+09:00       DEBUG   Detected OS: unknown
2025-02-28T12:27:26+09:00       INFO    Number of language-specific files       num=2
2025-02-28T12:27:26+09:00       INFO    [pom] Detecting vulnerabilities...
2025-02-28T12:27:26+09:00       DEBUG   [pom] Scanning packages for vulnerabilities     file_path="pom.xml"
2025-02-28T12:27:26+09:00       INFO    [jar] Detecting vulnerabilities...
2025-02-28T12:27:26+09:00       DEBUG   [jar] Scanning packages for vulnerabilities     file_path=""
2025-02-28T12:27:26+09:00       DEBUG   [jar] Skipping vulnerability scan as no version is detected for the package    name="io.swagger.core.v3:swagger-annotations-jakarta"
2025-02-28T12:27:26+09:00       DEBUG   [jar] Skipping vulnerability scan as no version is detected for the package    name="io.swagger.core.v3:swagger-models-jakarta"
2025-02-28T12:27:26+09:00       DEBUG   [jar] Skipping vulnerability scan as no version is detected for the package    name="org.glassfish.jaxb:jaxb-core"
2025-02-28T12:27:26+09:00       DEBUG   [vex] VEX filtering is disabled

Version

Version: 0.57.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-02-28 00:25:40.860438929 +0000 UTC
  NextUpdate: 2025-03-01 00:25:40.860438759 +0000 UTC
  DownloadedAt: 2025-02-28 03:18:05.2224316 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[nikpivkin]

Trivy uses CVSS v3.1, while GH uses CVSS v4, so the scores are different.

@DmitriyLewen Correct me if I'm wrong.

[DmitriyLewen]

right.
it looks like they use CVSS v4 to calculate severity.

Trivy uses severity from severity field (for GHSA) - https://github.com/github/advisory-database/blob/01488284803a546a74f35547e4cf714ed693de5b/advisories/github-reviewed/2024/12/GHSA-5j33-cvvr-w245/GHSA-5j33-cvvr-w245.json#L203

[dev-sca]

so trivy takes severity which determined by source vendor's CVSS4.0 score for Severity field
and takes scores from each vendor's CVSS3.1 Score for CVSS field?
Am I right?

[DmitriyLewen]

so trivy takes severity which determined by source vendor's CVSS4.0 score for Severity fieldF

Trivy takes severity from severity field of GHSA. We just assume that GH calculates severity from CVSS v4.0.

takes scores from each vendor's CVSS3.1 Score for CVSS field?

For OSV formats (e.g. go-vuln, ghsa) trivy-db calculates score by CVSS 3.0|3.1 (if score didn't detect before):
https://github.com/DmitriyLewen/trivy-db/blob/9a4add6e0fd4b814acf7234ea9b344acda2b08b9/pkg/vulnsrc/osv/osv.go#L326

[dev-sca]

Currently, Trivy uses CVSS v3.1 scores while potentially providing GHSA severity based on CVSS v4.0, which might lead to inconsistencies. To avoid user confusion, wouldn't it be better to provide both the score and severity based on the same CVSS version?

[DmitriyLewen]

wouldn't it be better to provide both the score and severity based on the same CVSS version?

In your case, score and severity are not related.

We calculate score according to CVSS.
We show severity received from GHSA.

If you say about adding CVSS 4.0 into report - you can write about that in #7059