trivy icon indicating copy to clipboard operation
trivy copied to clipboard
Published 3 weeks ago verified publisher icon aquasecurity

fix(vuln): save package-specific severity before severity selection

Open DmitriyLewen opened this issue 5 months ago • 3 comments

Description

Refactored vulnerability severity processing logic to fix package-specific severity handling. The changes move the package-specific severity processing earlier in the flow and ensure vendor severities are properly stored before the main severity selection logic runs.

Found mistakes

RedHat vulnerabilities don't have DataSource and use incorrect SeveritySource (redhat instead of redhat-oval. This PR fixes these mistakes, updates tests and improves severity selection logic for redhat.

Reason

The original code had a logical issue where package-specific severity handling was interfering with the main severity selection process. When a vulnerability had a SeveritySource set (indicating package-specific severity), the code was overriding the selected severity and source, but this happened after the main severity selection logic had already run.

Benefits

  • Correct vendor severity storage: Package-specific severities are now properly stored in VendorSeverity map before main processing
  • Improved severity selection: Main severity selection logic (getSeverity) now runs with complete vendor severity data available
  • Better separation of concerns: Package-specific severity handling is now clearly separated from main severity selection
  • Preserved existing behavior: All existing functionality is maintained while fixing the logical flow issue

Examples:

Before:

➜  trivy -q image debian -f json --vuln-severity-source nvd | grep SeveritySource | sort -u
          "SeveritySource": "debian",
          "SeveritySource": "nvd",

After:

➜  ./trivy -q image debian -f json --vuln-severity-source nvd | grep SeveritySource | sort -u
          "SeveritySource": "nvd",

Related issues

  • Close #9191

Related PRs

  • [x] #8269

Checklist

  • [x] I've read the guidelines for contributing to this repository.
  • [x] I've followed the conventions in the PR title.
  • [x] I've added tests that prove my fix is effective or that my feature works.
  • [ ] I've updated the documentation with the relevant information (if needed).
  • [ ] I've added usage information (if the PR introduces new options)
  • [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).

DmitriyLewen avatar Jul 14 '25 10:07 DmitriyLewen

This task is not urgent. I moved it to v0.66.0 so we will not make a mistake.

knqyf263 avatar Jul 30 '25 08:07 knqyf263

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Sep 30 '25 00:09 github-actions[bot]

This PR is stale because it has been labeled with inactivity.

github-actions[bot] avatar Nov 30 '25 00:11 github-actions[bot]