Recalculating a vulnerability's Severity and CVSS score based on injected temporal/environmental metrics

[quentinkhoo]

Question

Hi all! Apologise if I'm starting this discussion wrongly.

Anyway I was wondering, like passing in a rego policy to the --ignore-policy argument as described here, is there a way in Trivy to perhaps on a trivy image --scanners vuln at runtime to pass in a configuration file of some sort to achieve an idea like:

1. recalculate a CVSS of a vulnerability based on additional environmental/temporal metrics? (for example I want to simply include an environmental metrics to say that the Modified Availability (MA) is none.
2. if the image name contains a certain string, change the Modified Attack Vector to Adjacent if the original Attack Vector was Network.

TLDR --> can i pass in to trivy some sort of file to get trivy to recalculate CVSS results based on certain metrics?

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

MacOS Tahoe

Version

trivy --version
Version: 0.65.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-12-05 00:36:33.627076922 +0000 UTC
  NextUpdate: 2025-12-06 00:36:33.627076682 +0000 UTC
  DownloadedAt: 2025-12-05 06:43:07.734014 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-30 00:59:57.65346071 +0000 UTC
  NextUpdate: 2025-12-03 00:59:57.653460519 +0000 UTC
  DownloadedAt: 2025-12-05 06:43:30.078754 +0000 UTC

[nikpivkin]

Hi @quentinkhoo !

You can write a module that patches the results https://trivy.dev/docs/latest/guide/advanced/modules/