Skip to content

VulnerabilityReport Score field often doesn't match the Vulnerability Severity #1079

New issue
New issue
Closed
#1080
Closed
VulnerabilityReport Score field often doesn't match the Vulnerability Severity#1079
#1080
Labels
kind/bugCategorizes issue or PR as related to a bug.
@dkulchinsky

Description

@dkulchinsky
dkulchinsky
opened on Mar 20, 2023

What steps did you take and what happened:

The Score field in the VulnerabilityReport generated resources sometimes doesn't match the Severity of the Vulnerability.

an example:

    Class:             os-pkgs
    Cvss:
      Nvd:
        V3Score:   9.1
        V3Vector:  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
      Redhat:
        V3Score:        4.2
        V3Vector:       CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
    Fixed Version:      7.87.0-r2
    Installed Version:  7.87.0-r0
    Links:
    Package Type:      alpine
    Primary Link:      https://avd.aquasec.com/nvd/cve-2023-23914
    Resource:          libcurl
    Score:             4.2
    Severity:          CRITICAL
    Target:            <registry>/<image>:a12e0e085466-1119 (alpine 3.17.0)
    Title:             curl: HSTS ignored on multiple requests
    Vulnerability ID:  CVE-2023-23914

The above shows that the Score is 4.2 however the Severity is CRITICAL

the Cvss field shows there are two sources

Nvd    = 9.1
RedHat = 4.2

so it looks like the Score is always based on the Vendor CVSS Score (if it exists)

If I check the NVD (aquasec) report for the above CVE (https://avd.aquasec.com/nvd/2023/cve-2023-23914), it says the Score is 9.8 CRITICAL (which indeed matches the Severity field of the report),

What did you expect to happen:

The Score should reflect the Severity of the Vulnerability being reported.

Anything else you would like to add:

I believe the above behaviour is dictated here:

trivy-operator/pkg/plugins/trivy/plugin.go

Lines 2051 to 2053 in 487faa0

if vendorScore != nil {
return vendorScore
}

based on this code, if a Vulnerability has a vendorScore it would always be preferred.

This was also discussed in length with @chen-keinan over Slack (link to thread) and we came to conclusion that it would be a safer choice to align with NVD Score if both NVD and Vendor score exist and fallback to Vendor score only if NVD score is unavailable.

Environment:

  • Trivy-Operator version (use trivy-operator version): 0.12.1
  • Kubernetes version (use kubectl version): 1.24.9
  • OS (macOS 10.15, Windows 10, Ubuntu 19.10 etc): N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions