fix: prefer vendor score if both nvd and vendor cvss v3 scores exist#2774
fix: prefer vendor score if both nvd and vendor cvss v3 scores exist#2774simar7 merged 2 commits intoaquasecurity:mainfrom
Conversation
@afdesk what do you mean it was written to handle a case where the scores differed significantly? Do you have an example of such a case? If so, after this PR won't the same happen again? |
yes, there is a sample from #1079 - CVE-2023-23914. based on Severity selection:
|
|
Hi there, I've been checking some pages on https://avd.aquasec.com/ for example https://avd.aquasec.com/nvd/2023/cve-2023-45853 to trying to understand this. If I'm not wrong if trivy-operator considers in those cases redhat score, all the pages like that one must be changed isn't it? |
…er-vendor-severity
|
Hi @pacoguzman! sorry for misunderstanding, what do you mean here " all the pages like that one must be changed"? as for me, it means NVD severity is CRITICAL ( do i miss something? thanks! |
|
Thanks for answering and it's totally true what you said the web page is
correct. But let me try to explain what I meant.
As we have set up trivy operator we built up some dashboards on grafana
using scraped metrics.
If I understood this correctly, the severity on the metric will indicate
Moderate (as operator prioritize vendors), but if we create a link to the
web page based on the vulnerability identifier same user will see Critical
just after follow the link, which can be confusing. As the web page is
prioritizing NVD value.
So yes, I think this is just a UX/UI problem that we need to solve
internally with our users to avoid confusion.
Sorry to add noise to the ticket, I had to think deeply about it.
Thanks for your time and work on this.
…On Thu, Oct 9, 2025, 07:37 afdesk ***@***.***> wrote:
*afdesk* left a comment (aquasecurity/trivy-operator#2774)
<#2774 (comment)>
Hi @pacoguzman <https://github.com/pacoguzman>! sorry for
misunderstanding, what do you mean here " all the pages like that one must
be changed"?
as for me, it means NVD severity is CRITICAL (source: NVD), but RedHat
thnks this cve is MODERATE for his distros
default.png (view on web)
<https://github.com/user-attachments/assets/e97d03a3-29bc-41f8-b391-0daec80e8f71>
do i miss something? thanks!
—
Reply to this email directly, view it on GitHub
<#2774 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAACVLV6VLHPQAQBQW4MZB33WXYAHAVCNFSM6AAAAACIPNMDLWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOBUGIYDGMRRHE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@pacoguzman no problem! feel glad to help ) |
|
The change LGTM, I'm just surprised we missed it so far. I'm sure after we release this, people will see results differently and might have some questions related to it as severities will change for cases where vendor rates it differently. |
3 participants
Description
This PR updates the logic for determining the score of a vulnerability when both vendor and NVD CVSS v3 scores are available. From now on, Trivy-operator will prefer the vendor score if both scores are present.
Effectively, this change reverts the behavior introduced in PR #1080, but since PR #1639 introduced a significant refactor, it’s clearer and safer to implement this as a new PR rather than a direct revert.
PR #1080 was originally merged to handle a specific edge case where the vendor CVSS score differed significantly from the NVD score, and preference was given to NVD. However, this approach turned out to be suboptimal, as vendor-provided severities are generally more accurate and authoritative. Read more about Severity Selection here.
Checklist