Replies: 1 comment 2 replies
-
|
|
Beta Was this translation helpful? Give feedback.
-
|
Yes, so in that case it is expected to give UNKNOWN as the severity if we give priority to nvd. But how we can use the CISA-ADP severity? |
Beta Was this translation helpful? Give feedback.
-
|
Currently, CVSS scores evaluated by organizations other than NIST are not retrieved from the NVD. Therefore, the severity from CISA-ADP cannot be displayed. If you want to display "unknown," the option |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Question
As per NVD, the CVSS 3.x severity for CVE-2025-9230 is HIGH (reference link: NVD CVE-2025-9230). However, Trivy reports the severity as MEDIUM based on different vendor sources.
I tried prioritizing this by using these approaches:
By configuring Trivy to download the database from an alternative location.
trivy clean --vuln-db --java-db; trivy image --download-db-only; trivy image --debug <ImageName> --db-repository https://github.com/aquasecurity/vuln-list-nvd.git --skip-db-update --scanners vuln --no-progress --format jsonHowever, these configurations did not yield the expected severity and the severity remains MEDIUM in the scan results with output as
WARN Using severities from other vendors for some vulnerabilities.By specifying the severity source priority.
trivy clean --vuln-db --java-db;trivy image --download-db-only;trivy image --debug <ImageName> --vuln-severity-source nvd --scanners vuln --no-progress --format jsonBut with this configuration the severity is coming as UNKNOWN which should not be the case.
Could anyone please clarify why Trivy is not aligning the severity with NVD's CVSS 3.x rating of HIGH for this CVE? Is there an additional configuration or workaround I should follow to prioritize NVD as the severity source?
Target
Container Image
Scanner
Vulnerability
Output Format
JSON
Mode
None
Operating System
No response
Version
Beta Was this translation helpful? Give feedback.
All reactions