Inconsistent Severity Levels Reported for Same CVE

[sanjayengi]

Description

When scanning an image, Trivy shows different severity levels ("High" or "Critical") for the same CVE, even though the CVSS3 scores from NVD and vendors are consistent across scans. We have tried with multiple scans for more than a week with different trivy versions.

Here are the CVSS3 scores for one such CVE (https://avd.aquasec.com/nvd/2023/cve-2023-37920/)

• GHSA: 7.5
• NVD: 9.8
• Red Hat: 7.5

According to these scores and the CVSS v3.0 rating scale, Trivy should classify this CVE as "Critical". However, in some scans, Trivy classifies it as "High".

I've tested this with three different versions of Trivy and observed the same behavior.
Trivy versions used for the scans:
0.44.0,
0.46.1,
0.47.0

Image: opensearchproject/opensearch:2.6.0

Remark: Looks like this is caused by some database updates in the backend. In our last test, the original severity "Critical" got changed to "High" again after the Trivy database got updated update on 12/7/23, 1:13 PM. This database update information, I have taken from Harbor UI.

Database updated on: 12/7/23, 1:13 PM

Desired Behavior

Trivy should consistently classify the severity level of a CVE based on the CVSS scores.

Actual Behavior

Trivy sometimes shows the severity as "High" and sometimes "Critical" for the same CVE.

Reproduction Steps

1. Scan the image multiple times over a period of few hours (6-8 hours, after the Trivy database is updated) or sometimes it take few days.

$ trivy image --severity CRITICAL,HIGH opensearchproject/opensearch:2.6.0
...

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

1st run 1 on 05.12,2023: No "Critical" CVEs found. 
===================================================
Sanjays-MBP:.ssh sanjaykumar$ trivy image --severity CRITICAL opensearchproject/opensearch:2.6.0
2023-12-05T09:57:44.968+0100	INFO	Need to update DB
2023-12-05T09:57:44.968+0100	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-05T09:57:44.968+0100	INFO	Downloading DB...
41.10 MiB / 41.10 MiB [----------------------------------------------------------------------------------------------------] 100.00% 6.70 MiB p/s 6.3s
2023-12-05T09:57:52.575+0100	INFO	Vulnerability scanning is enabled
2023-12-05T09:57:52.575+0100	INFO	Secret scanning is enabled
2023-12-05T09:57:52.575+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-05T09:57:52.575+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-12-05T09:57:52.619+0100	INFO	Detected OS: amazon
2023-12-05T09:57:52.619+0100	INFO	Detecting Amazon Linux vulnerabilities...
2023-12-05T09:57:52.623+0100	INFO	Number of language-specific files: 1
2023-12-05T09:57:52.623+0100	INFO	Detecting jar vulnerabilities...

opensearchproject/opensearch:2.6.0 (amazon 2 (Karoo))

Total: 0 (CRITICAL: 0)




2nd run : on 05.12,2023: (After the update of Trivy Database ): 4 "Critcal" CVEs found.
===================================================
Sanjays-MBP:.ssh sanjaykumar$ trivy image --severity CRITICAL opensearchproject/opensearch:2.6.0
2023-12-05T13:56:13.350+0100	INFO	Need to update DB
2023-12-05T13:56:13.350+0100	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-05T13:56:13.350+0100	INFO	Downloading DB...
41.16 MiB / 41.16 MiB [----------------------------------------------------------------------------------------------------] 100.00% 8.11 MiB p/s 5.3s
2023-12-05T13:56:23.253+0100	INFO	Vulnerability scanning is enabled
2023-12-05T13:56:23.253+0100	INFO	Secret scanning is enabled
2023-12-05T13:56:23.253+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-05T13:56:23.253+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-12-05T13:56:23.300+0100	INFO	Detected OS: amazon
2023-12-05T13:56:23.300+0100	INFO	Detecting Amazon Linux vulnerabilities...
2023-12-05T13:56:23.304+0100	INFO	Number of language-specific files: 1
2023-12-05T13:56:23.304+0100	INFO	Detecting jar vulnerabilities...

opensearchproject/opensearch:2.6.0 (amazon 2 (Karoo))

Total: 4 (CRITICAL: 4)

┌─────────────────┬────────────────┬──────────┬────────┬────────────────────────┬────────────────────────┬────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │   Installed Version    │     Fixed Version      │                         Title                          │
├─────────────────┼────────────────┼──────────┼────────┼────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ ca-certificates │ CVE-2023-37920 │ CRITICAL │ fixed  │ 2021.2.50-72.amzn2.0.5 │ 2021.2.50-72.amzn2.0.8 │ python-certifi: Removal of e-Tugra root certificate    │
│                 │                │          │        │                        │                        │ https://avd.aquasec.com/nvd/cve-2023-37920             │
├─────────────────┼────────────────┤          │        ├────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ curl            │ CVE-2023-38545 │          │        │ 7.88.1-1.amzn2.0.1     │ 8.3.0-1.amzn2.0.4      │ curl: heap based buffer overflow in the SOCKS5 proxy   │
│                 │                │          │        │                        │                        │ handshake                                              │
│                 │                │          │        │                        │                        │ https://avd.aquasec.com/nvd/cve-2023-38545             │
├─────────────────┤                │          │        │                        │                        │                                                        │
│ libcurl         │                │          │        │                        │                        │                                                        │
│                 │                │          │        │                        │                        │                                                        │
│                 │                │          │        │                        │                        │                                                        │
├─────────────────┼────────────────┤          │        ├────────────────────────┼────────────────────────┼────────────────────────────────────────────────────────┤
│ zlib            │ CVE-2023-45853 │          │        │ 1.2.7-19.amzn2.0.2     │ 1.2.7-19.amzn2.0.3     │ zlib: integer overflow and resultant heap-based buffer │
│                 │                │          │        │                        │                        │ overflow in zipOpenNewFileInZip4_6                     │
│                 │                │          │        │                        │                        │ https://avd.aquasec.com/nvd/cve-2023-45853             │
└─────────────────┴────────────────┴──────────┴────────┴────────────────────────┴────────────────────────┴────────────────────────────────────────────────────────┘
Sanjays-MBP:.ssh sanjaykumar$ 



Another run: On 07.12.2023: No "Critical" CVEs found.

Sanjays-MBP:.ssh sanjaykumar$ trivy image --severity CRITICAL opensearchproject/opensearch:2.6.0 --debug
2023-12-07T16:04:06.997+0100	DEBUG	Severities: ["CRITICAL"]
2023-12-07T16:04:06.997+0100	DEBUG	Ignore statuses	{"statuses": null}
2023-12-07T16:04:07.016+0100	DEBUG	cache dir:  /Users/sanjaykumar/Library/Caches/trivy
2023-12-07T16:04:07.016+0100	DEBUG	DB update was skipped because the local DB is the latest
2023-12-07T16:04:07.016+0100	DEBUG	DB Schema: 2, UpdatedAt: 2023-12-07 12:13:46.374998358 +0000 UTC, NextUpdate: 2023-12-07 18:13:46.374998117 +0000 UTC, DownloadedAt: 2023-12-07 14:28:28.244167 +0000 UTC
2023-12-07T16:04:07.021+0100	INFO	Vulnerability scanning is enabled
2023-12-07T16:04:07.021+0100	DEBUG	Vulnerability type:  [os library]
2023-12-07T16:04:07.021+0100	INFO	Secret scanning is enabled
2023-12-07T16:04:07.021+0100	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-07T16:04:07.021+0100	INFO	Please see also https://aquasecurity.github.io/trivy/v0.47/docs/scanner/secret/#recommendation for faster secret detection
2023-12-07T16:04:07.050+0100	DEBUG	No secret config detected: trivy-secret.yaml
2023-12-07T16:04:07.050+0100	DEBUG	The nuget packages directory couldn't be found. License search disabled
2023-12-07T16:04:07.051+0100	DEBUG	No secret config detected: trivy-secret.yaml
2023-12-07T16:04:07.051+0100	DEBUG	Image ID: sha256:92fe7c48b27f48e4d73b1468a65b71deed2872969d8bfd5e3d9427ff73c855cd
2023-12-07T16:04:07.051+0100	DEBUG	Diff IDs: [sha256:6785317d722da7ab7a8939c6ca1a33938bec0e2415ece40d629237a684092807 sha256:aa2fa55eb2bc98a79db787e33137db666d5900b994effda02fe6c43ce4211cec sha256:dd54ca38d21f09b92d1275bdbc19147908a3a0a87f2d2c519cac4112a281279a sha256:cc42a1415900505597b7b6eb53a556acd59a21d8fafb558e419944cd7772cf1d sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef sha256:9b98887d8daabf29ebbbf02a2b0610f20ccac79b6556a8691375e55ec1aa0256 sha256:d6a7fd3305149dd0872566d754d5b0c8bfa58a6ed4d569ce55827234af5f561d]
2023-12-07T16:04:07.051+0100	DEBUG	Base Layers: [sha256:6785317d722da7ab7a8939c6ca1a33938bec0e2415ece40d629237a684092807]
2023-12-07T16:04:07.062+0100	INFO	Detected OS: amazon
2023-12-07T16:04:07.062+0100	INFO	Detecting Amazon Linux vulnerabilities...
2023-12-07T16:04:07.062+0100	DEBUG	amazon: os version: 2
2023-12-07T16:04:07.062+0100	DEBUG	amazon: the number of packages: 112
2023-12-07T16:04:07.071+0100	INFO	Number of language-specific files: 1
2023-12-07T16:04:07.071+0100	INFO	Detecting jar vulnerabilities...
2023-12-07T16:04:07.071+0100	DEBUG	Detecting library vulnerabilities, type: jar, path: 

opensearchproject/opensearch:2.6.0 (amazon 2 (Karoo))

Total: 0 (CRITICAL: 0)

Sanjays-MBP:.ssh sanjaykumar$

Operating System

macOS Sonoma (for local test), Harbor Version v2.8.4-ad3e767d (Trivy V0.44.0 & V0.46.1)

Version

Sanjays-MBP:.ssh sanjaykumar$ trivy --version
Version: 0.47.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-12-07 12:13:46.374998358 +0000 UTC
  NextUpdate: 2023-12-07 18:13:46.374998117 +0000 UTC
  DownloadedAt: 2023-12-07 15:11:00.540665 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2023-12-07 11:31:05.860129429 +0000 UTC
  NextUpdate: 2023-12-10 11:31:05.860129268 +0000 UTC
  DownloadedAt: 2023-12-07 15:12:13.006895 +0000 UTC
Sanjays-MBP:.ssh sanjaykumar$

Checklist

• Run trivy image --reset
• Read the troubleshooting

[DmitriyLewen]

Hello @sanjayengi
Thanks for your report!

Created #5762 for this task.

Regards, Dmitriy

[sanjayengi]

Thank you @DmitriyLewen.

[sanjayengi]

Hello @DmitriyLewen,
I now see the same behaviour for the CVE-2022-25313 and CVE-2022-23990.
Image: opensearchproject/opensearch:2.6.0

Could you please have a re-look?
Thanks in advance!

[DmitriyLewen]

Hello @sanjayengi
I checked CVE-2022-25313 for this image.
I have always had CRITICAL severity.
Did you update database?

Can you send your vulnerability reports with different severities in json format
(e.g. trivy -d image opensearchproject/opensearch:2.6.0 -f json | jq '.Results[].Vulnerabilities[] | select(.VulnerabilityID=="CVE-2022-25313")'

[sanjayengi]

Hello @DmitriyLewen,
I was running daily for the last 4 days, it's always "CRITICAL" but today it's again "MEDIUM" for the "CVE-2022-23990". Please refer the attached JSON files (CVE-2022-23990-CRITICAL.json and CVE-2022-23990-MEDIUM.json)
CVE-2022-23990-CRITICAL.json
CVE-2022-23990-MEDIUM.json.

[DmitriyLewen]

Hello @sanjayengi
Thanks for your help!

I may have found the cause of this problem.

Currently you see severity level as "CRITICAL", right?
Also, you were getting MEDIUM severity after updating trivy-db and before downloading the new version of trivy-db, correct?

[sanjayengi]

Hello @sanjayengi Thanks for your help!

I may have found the cause of this problem.

Currently you see severity level as "CRITICAL", right? Also, you were getting MEDIUM severity after updating trivy-db and before downloading the new version of trivy-db, correct?

Hello @DmitriyLewen,
Currently I see "CRITICAL" for CVE-2022-25313 and "MEDIUM" for CVE-2022-23990. Yes, it's after updating the trivy-db and before downloading the new version of trivy-db.

Regards,
Sanjay.

[DmitriyLewen]

Amazon database returns ALASs with CVE list. ALAS doesn't include severity for CVEs (only for ALAS).
Typically all ALASs with same CVE should have same severity.

But you found case when ALAS severity for AL2023 != ALAS severity for AL2:

We have not seen such cases and we don't have a strict order for parsing ALASs.
That is why trivy-db contains CRITICAL and MEDIUM severity (random sequence).

This case appears to be a bug in Amazon's database.
But perhaps Amazon team just can't choose correct severity for ALAS2023-2023-058 (this ALAS contains a lot of CVEs).

@knqyf263 wdyt? Perhaps we need to keep ALASs instead of CVEs for Amazon advisories or add parse order to remove instability.
Or is it an issue with the Amazon database?

---

@sanjayengi to solve this problem you can write small module to set correct severity for CVE-2022-25313 and CVE-2022-23990.