Severity reported on the scan ouput and on the CVE description differ

[fleroux514]

My Github action config filters on HIGH and CRITICAL severities:

        uses: aquasecurity/trivy-action@master
        with:
          scan-type: rootfs
          scan-ref: /tmp/package-tmp/
          hide-progress: false
          ignore-unfixed: true
          format: table
          severity: CRITICAL,HIGH
          exit-code: 1

The ouput shows a High Severity CVE detection

The CVE description shows MEDIUM severity: https://avd.aquasec.com/nvd/2012/cve-2012-6153/

[simar7]

That's interesting. Although in this case the result in AVD is correct (Medium) as it's based on NVD 2.0.

@DmitriyLewen would you know why Trivy is flagging this vulnerability as HIGH in the results?

[DmitriyLewen]

Hello @fleroux514 @simar7 This happens because Trivy uses database severity - https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#severity-selection GitHub advisory database has HIGH severity for this CVE - https://github.com/advisories/GHSA-2x83-r56g-cv47

GitHub team make good work to update their advisories. If you don't agree with this severity - you can open PR to change severity:

[simar7]

Hello @fleroux514 @simar7

This happens because Trivy uses database severity - https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#severity-selection

GitHub advisory database has HIGH severity for this CVE - https://github.com/advisories/GHSA-2x83-r56g-cv47

GitHub team make good work to update their advisories.

If you don't agree with this severity - you can open PR to change severity:

Thanks, that's right. I forgot that GitHub is a severity provider and we override based on the providers/vendors recommendation.

[DmitriyLewen]

FYI json format uses VendorSeverity field to understand which database was used to select severity for CVE.

[fleroux514]

Thanks for the explanation @DmitriyLewen . Closing