[Image Scanning] Improve CVE scoring and severity based on vendor's inputs #368
davideiori1
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Problem
Currently, when showing the CVEs for a particular image, the CVSS score and Severity are not aligned. That's because the severity shown is the one assigned by the vendor (RedHat in the example) which issued a security advisory and assigned another score to the CVE.
This is confusing and undermine the trust a user has in the Product.
The north start of a vulnerability scanner is to reduce the noise so that users can easily and quickly pin point what vulnerabilities represent a concrete threat.
The Ask
For CVEs in OS level packages, we must use the CVSS score provided by the OS vendor, because there is a high level probability that the vendor adjusted the severity when compared to the default source of the CVE, that might be NVD, MITRE, GH and others. For non-OS CVEs, then we must use the default CVSS that is provided by Trivy.
What other tools do
Harbor

The scanner shows the severity that comes from the vendor (it uses Trivy under the hood), and shows both the scores coming from NVD and the vendor.
ARMO (Kubescape)
The registry scanning functionality (it uses Grype under the hood) does not show the CVSS score but only the severity
Beta Was this translation helpful? Give feedback.
All reactions