Replies: 1 comment 3 replies
-
Hello @SanjayVas
I wrote about this problem in #6714. Regards, Dmitriy |
Beta Was this translation helpful? Give feedback.
3 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Description
Trivy reports the severity level as HIGH for CVEs that do not yet have a score. For example, CVE-2024-28085 is listed as N/A in Aqua's vulnerability database. NVD indicates that the it's awaiting analysis. Despite this, Trivy reports HIGH as the severity level.
Desired Behavior
Trivy is consistent with Aqua's vulnerability database w.r.t. scoring. e.g. reporting N/A.
Actual Behavior
Trivy reports HIGH even though the CVSS v3 score is not in the 7.0-8.9 range.
Reproduction Steps
1. Run Trivy v0.50.1 in container image based on Distroless Java trivy image ghcr.io/world-federation-of-advertisers/kingdom/data-server:20240512.3 --platform linux/amd64 2. Observe that CVE-2024-28085 is listed with severity HIGH
Target
Container Image
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
Linux (Debian Trixie)
Version
Checklist
trivy image --reset
Beta Was this translation helpful? Give feedback.
All reactions