Can we take severity from the Debian or Ubuntu issue trackers?

[kyrofa]

CVEs coming from mitre or NVD have a particular severity rating, but when it hits particular Linux distributions (the ones I care about are Debian and Ubuntu), their security teams may triage it differently. For example, take CVE-2019-8457. On NVD, that's critical. On Debian, though, they triaged it as minor and it's essentially ignored. This of course is not unusual-- it happens regularly in Ubuntu as well, where the distribution authors can evaluate the vuln in relation to how the software is used and how it's configured, and so on. I realize Trivy supports ignoring vulns, but if I could simply tell it to take severities from Debian or Ubuntu, my severity filter would take care of such things (I'm limiting to HIGH and CRITICAL).

[knqyf263]

Trivy takes severities according to the image OS. It takes severity from Red Hat when scanning RHEL, and from Debian when scanning Debian.

[kyrofa]

@knqyf263 interesting, I'm missing something then:

$ trivy image --severity CRITICAL debian:bullseye-slim
<snip>

debian:bullseye-slim (debian 11.6)

Total: 1 (CRITICAL: 1)

┌──────────┬───────────────┬──────────┬───────────────────┬───────────────┬────────────────────────────────────────────────────────┐
│ Library  │ Vulnerability │ Severity │ Installed Version │ Fixed Version │                         Title                          │
├──────────┼───────────────┼──────────┼───────────────────┼───────────────┼────────────────────────────────────────────────────────┤
│ libdb5.3 │ CVE-2019-8457 │ CRITICAL │ 5.3.28+dfsg1-0.8  │               │ sqlite: heap out-of-bound read in function rtreenode() │
│          │               │          │                   │               │ https://avd.aquasec.com/nvd/cve-2019-8457              │
└──────────┴───────────────┴──────────┴───────────────────┴───────────────┴────────────────────────────────────────────────────────┘

Can you explain the rationale behind calling that CRITICAL, when Debian has triaged it as minor?

[afdesk]

sorry, that i chime in.

@kyrofa
it looks that minor isn't a security level.

Debian Security Tracker defines 4 security levels: unimportant, low, medium or high.
Minor means an issue not warranting a security advisory.

Debian Security Tracker

Sometimes an issue might not warrant an (immediate) security advisory, for example if its severity is minor.

[kyrofa]

Ah okay-- so if something doesn't warrant a DSA, Trivy takes the NVD severity? Is that something Trivy can take into account? Ideally we wouldn't need to manually ignore vulns that Debian themselves said don't warrant a fix.

[afdesk]

my first thought: a vulnerable package (SQLite3) isn't critical for Debian, but it'll be critical for using from another applications.

maybe i missed something.

[kyrofa]

It's not actually a vuln in the sqlite that people use, it's a vuln in the sqlite embedded within libdb. If they know that they don't use the vulnerable aspects, I could see them not worrying about this one.

[afdesk]

oh, sure, you're right. it's about libdb5.3.
but i need to think over your point

[kyrofa]

Continuing my investigation in this area, it turns out that this point has been raised before, in #1733. I found this out after testing Snyk and realizing that it did the right thing with this image. In fact, all the high/crit vulns in my docker image were filtered out by Snyk because they took Debian's severity. That includes the libdb issue that prompted my opening this in the first place.

[falcantaralinode]

Cross posting here for visibility: #1733 (comment).

[kyrofa]

Thanks @falcantaralinode. Definitely too many false positives.

[kyrofa]

I really believe if Trivy knows this about a vuln:

"Kind": "no-dsa",
"Description": "Minor issue",

It should trust Debian. No reason to call this critical.