Comments (5)
It's intended now. NVD (and other vendors) frequently delays its analysis, while Red Hat usually assesses vulnerabilities quickly. Then, we used to have many vulnerabilities with the "unknown" severity. That's why we use the severity from Red Hat in the worst case, even if the scanned image is not based on Red Hat.
Got it! Thanks.
We may want to show warnings if we take severity from different vendors. In addition, adding --severity-src or something like that might help users who don't want to use severity from other vendors.
Let's start with log.
from trivy.
@knqyf263 wdyt?
from trivy.
It's intended now. NVD (and other vendors) frequently delays its analysis, while Red Hat usually assesses vulnerabilities quickly. Then, we used to have many vulnerabilities with the "unknown" severity. That's why we use the severity from Red Hat in the worst case, even if the scanned image is not based on Red Hat.
We may want to show warnings if we take severity from different vendors. In addition, adding --severity-src
or something like that might help users who don't want to use severity from other vendors.
from trivy.
The key issue I see here is that the link to Aqua's vulnerability database does not match the severity. The database link must point to something that uses the same score source as the reported score/severity.
from trivy.
We try to collect all common information in https://avd.aquasec.com (i will check why site doesn't contain RedHat severity).
If you need more information about vulnerability - you can use json
format.
It contains info about DataSource
(advisory database), VendorSeverity
, CVSS
(for all vendors), References
, etc.
from trivy.
Related Issues (20)
- Trivy Node scan can't parse package.json when `latest` is used as a package version
- fix(pip): Validate package names and versions
- feat(cloudformation): add support for AWS::EC2::SecurityGroupIngress/Egress
- Opt out of misconfig for specific k8s role HOT 1
- feat(terraform): support for VPC resources for inbound and outbound rules
- Release trivy_0.51.3_Linux-64bit binary is broken HOT 11
- fix(checks): AVD-DS-0015 FP about yum clean all missed
- segmentation violation when running trivy in convert mode
- Some secret detection regexes expect the value to be surrounded by quotes HOT 2
- fluent-bit critical vulnerabilty not detected HOT 1
- fix(cyclonedx): trim non-URL characters HOT 2
- JWT secret detector only works if "JWT" word is in scope
- fix(poetry): handle package names in a case-insensitive manner HOT 2
- HuggingFace token detector not working properly (wrong number of characters) HOT 2
- DB download error HOT 1
- feat: add flag to pass credentials to different Git hosting platforms HOT 1
- bug(pnpm): infinity loop for `markRootPkgs` function
- bug(npm): runtime: out of memory HOT 7
- feat(cloudformation): support for `AWS::ApiGateway::RestApi` resource
- bug(bom): overwrite `epoch` if srcEpoch is 0
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trivy.