Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inconsistent Severity Levels Reported for Same CVE #5762

Closed
DmitriyLewen opened this issue Dec 8, 2023 Discussed in #5757 · 1 comment · Fixed by aquasecurity/trivy-db#376
Closed

Inconsistent Severity Levels Reported for Same CVE #5762

DmitriyLewen opened this issue Dec 8, 2023 Discussed in #5757 · 1 comment · Fixed by aquasecurity/trivy-db#376
Assignees
@DmitriyLewen
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning

Comments

@DmitriyLewen
Copy link
Contributor

Description

In some cases, the database doesn't contain Amazon severity.
e.g.:

➜ bbolt get trivy.db vulnerability CVE-2023-37920 | jq
{
  "Title": "python-certifi: Removal of e-Tugra root certificate",
  "Description": "Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes \"e-Tugra\" root certificates. e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from \"e-Tugra\" from the root store.",
  "Severity": "CRITICAL",
  "CweIDs": [
    "CWE-345"
  ],
  "VendorSeverity": {
    "ghsa": 3,
    "nvd": 4,
    "redhat": 1
  },
 ...
}

This can happen because Amazon uses the severity name with the first character either uppercase or lowercase.
e.g.:
Important
important

Discussed in #5757
@DmitriyLewen DmitriyLewen added the kind/bug Categorizes issue or PR as related to a bug. label Dec 8, 2023
@DmitriyLewen
Copy link
Contributor Author

Fix for this - aquasecurity/trivy-db#376

@DmitriyLewen DmitriyLewen self-assigned this Dec 8, 2023
@DmitriyLewen DmitriyLewen added the scan/vulnerability Issues relating to vulnerability scanning label Dec 8, 2023
@DmitriyLewen DmitriyLewen mentioned this issue Dec 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DmitriyLewen DmitriyLewen

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/vulnerability Issues relating to vulnerability scanning
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(amazon): compare severity in lower case DmitriyLewen/trivy-db
1 participant
@DmitriyLewen