Closed fleroux514 closed 8 months ago
That's interesting. Although in this case the result in AVD is correct (Medium) as it's based on NVD 2.0.
@DmitriyLewen would you know why Trivy is flagging this vulnerability as HIGH in the results?
Hello @fleroux514 @simar7
This happens because Trivy uses database severity - https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#severity-selection
GitHub advisory database has HIGH
severity for this CVE - https://github.com/advisories/GHSA-2x83-r56g-cv47
GitHub team make good work to update their advisories. If you don't agree with this severity - you can open PR to change severity:
Hello @fleroux514 @simar7
This happens because Trivy uses database severity - https://aquasecurity.github.io/trivy/v0.48/docs/scanner/vulnerability/#severity-selection
GitHub advisory database has
HIGH
severity for this CVE - https://github.com/advisories/GHSA-2x83-r56g-cv47GitHub team make good work to update their advisories.
If you don't agree with this severity - you can open PR to change severity:
Thanks, that's right. I forgot that GitHub is a severity provider and we override based on the providers/vendors recommendation.
FYI json
format uses VendorSeverity
field to understand which database was used to select severity for CVE.
Thanks for the explanation @DmitriyLewen . Closing
My Github action config filters on
HIGH
andCRITICAL
severities:The ouput shows a High Severity CVE detection
The CVE description shows
MEDIUM
severity: https://avd.aquasec.com/nvd/2012/cve-2012-6153/