trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 2 weeks ago verified publisher icon aquasecurity

bug(vulnerability): `--vuln-severity-source` doesn't work for package-specific severity (e.g. Debian)

Open DmitriyLewen opened this issue 5 months ago • 1 comments

Description

There are cases when vendor might provide package-specific severity (e.g. CVE-2015-2328 in Debian has "unimportant" for mongodb and "low" for pcre3.) Trivy always uses this severity (even --vuln-severity-source flag exists):

➜  trivy -q image debian -f json --vuln-severity-source nvd | grep SeveritySource | sort -u
          "SeveritySource": "debian",
          "SeveritySource": "nvd",

Reason

We check package-specific severity after severity selection logic.

Solution

Add package-specific severity to VendorSeverity map. Use severity selection logic after that.

DmitriyLewen avatar Jul 14 '25 10:07 DmitriyLewen

+1

Noticed in the PR this was "not urgent", so wanted to add my vote. My use case is that I want a report of severities from nvd only, which I can't get without this fix.

If I can assist at all (testing or whatnot), let me know.

wlfgang avatar Nov 19 '25 11:11 wlfgang