trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

Severity and cvss scores do not match in trivy scan results.

Open bluefriday opened this issue 3 years ago • 4 comments

While using trivy to scan debian images, I noticed something strange.

In the example below, for CVE-2021-43396 the value of the Severity field is marked as "LOW".

{
  "VulnerabilityID": "CVE-2021-43396",
  "PkgName": "libc6",
  "InstalledVersion": "2.31-13",
  "FixedVersion": "2.31-13+deb11u3",
  "Layer": {
    "Digest": "sha256:8907fc4ab049835499c850563c3d7d474f580f63056f02ca32063c8777d79ac5",
    "DiffID": "sha256:e3d24823466584f8fcc6fe0d7d5bb09d2360b86ef9b655e21e8002ee04dd386b"
  },
  "SeveritySource": "debian",
  "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-43396",
  "DataSource": {
    "ID": "debian",
    "Name": "Debian Security Tracker",
    "URL": "https://salsa.debian.org/security-tracker-team/security-tracker"
  },
  "Title": "glibc: conversion from ISO-2022-JP-3 with iconv may emit spurious NUL character on state reset",
  "Description": "** DISPUTED ** In iconvdata/iso-2022-jp-3.c...bug.\"",
  "Severity": "LOW",
  "CVSS": {
    "nvd": {
      "V2Vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
      "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "V2Score": 5,
      "V3Score": 7.5
    }
  },
  "References": [
    "https://access.redhat.com/security/cve/CVE-2021-43396",
    "https://blog.tuxcare.com/vulnerability/vulnerability-in-iconv-identified-by-tuxcare-team-cve-2021-43396",
    "https://nvd.nist.gov/vuln/detail/CVE-2021-43396",
    "https://sourceware.org/bugzilla/show_bug.cgi?id=28524",
    "https://sourceware.org/git/?p=glibc.git;a=commit;h=ff012870b2c02a62598c04daa1e54632e020fd7d"
  ],
  "PublishedDate": "2021-11-04T20:15:00Z",
  "LastModifiedDate": "2021-11-17T14:12:00Z"
},

However, in the CVSS item below it, the values of V2Score and V3Score are displayed as 5 (probably medium) and 7.5 (probably High).

In fact, on the nvd site of the "References" entry, the corresponding severity is marked as below.

  • CVSS Version 3.x : 7.5 HIGH
  • CVSS Version 2.0 : 5.0 MEDIUM

I would like to know how the value of the Severity field is calculated.

bluefriday avatar May 31 '22 07:05 bluefriday

You can see SeveritySource. It says debian.

knqyf263 avatar May 31 '22 07:05 knqyf263

@DmitriyLewen We probably should add explanation to our doc.

knqyf263 avatar May 31 '22 07:05 knqyf263

Hello @bluefriday Thanks for your interest to Trivy!

For packages installed from apt/apt-get/dpkg in Debian, Trivy gets advisories from Debian database. More information about Trivy data sourses here.

Agree with you @knqyf263. I will add some explanation on this to docs soon.

DmitriyLewen avatar May 31 '22 08:05 DmitriyLewen

This issue is stale because it has been labeled with inactivity.

github-actions[bot] avatar Jul 31 '22 00:07 github-actions[bot]