Issues category count differs in the UI vs. SARIF output security-severity
#5246
Closed
2 tasks done
security-severity
#5246
Discussed in #5164
Originally posted by jeremy-soh-partior September 12, 2023
Description
Running
trivy image
against for example thesplunk/fluentd-hec:1.3.3
yields differing numbers of severity categories. For example, the UI displays the following:whereas the SARIF output file on the
security-severity
rating field, there are more than 15 (7.0) high and above findings:In addition, tags and the
security-severity
rating score doesn't match with thetags
. In this case, the CVE-2021-45078 gives a score of 7.8 but tagged with a "MEDIUM". I am assumingsecurity-severity
means CVSS score (please correct me if I misunderstood).Desired Behavior
Both UI and SARIF files should give the same number of severity count in each category (Critical, High, Low, Med, etc).
SARIF's
security-severity
score should match withtag
. E.g. 5.3 gives MEDIUM, 7.0 gives HIGH, 9.1 gives CRITICAL.Actual Behavior
UI Display of severity category counts differs from SARIF severity
SARIF
security-severity
differs fromtag
.Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
SARIF
Mode
Standalone
Debug Output
Operating System
Ubuntu 20.04.6 LTS
Version
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: