Add configuration of severity display #1378
Description
What happened: CVEs were reported from one database source as NEGLIGIBLE e with no CVSS score or Vector. However, it is identified in the "relatedVulnerabilities' key with the full NIST database CVSS information, metrics, and vector as HIGH.
What you expected to happen: I expected the CVE to be reported multiple times - one from each database source - OR report the highest severity/score and metrics.
How to reproduce it (as minimally and precisely as possible):
Grype is built into my runner image and repeat scans produce the same result.
Anything else we need to know?:
I have found this issue in multiple scan outputs. it is not isolated to specific runner or projects.
Environment:
- Grype version='0.63.1' os='linux' arch='amd64'
- Syft version='0.84.1'
- alpine 3
- ec2 - ephemeral instance
Output for one of the CVEs.
[
{
"vulnerability": {
"id": "CVE-2005-2541",
"dataSource": "https://security-tracker.debian.org/tracker/CVE-2005-2541",
"namespace": "debian:distro:debian:11",
"severity": "Negligible",
"urls": [
"https://security-tracker.debian.org/tracker/CVE-2005-2541"
],
"description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
"cvss": [],
"fix": {
"versions": [],
"state": "not-fixed"
},
"advisories": []
},
"relatedVulnerabilities": [
{
"id": "CVE-2005-2541",
"dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2005-2541",
"namespace": "nvd:cpe",
"severity": "High",
"urls": [
"http://marc.info/?l=bugtraq&m=112327628230258&w=2",
"https://lists.apache.org/thread.html/rc713534b10f9daeee2e0990239fa407e2118e4aa9e88a7041177497c@%3Cissues.guacamole.apache.org%3E"
],
"description": "Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.",
"cvss": [
{
"version": "2.0",
"vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"metrics": {
"baseScore": 10,
"exploitabilityScore": 10,
"impactScore": 10
},
"vendorMetadata": {}
}
]
}
],
"matchDetails": [
{
"type": "exact-direct-match",
"matcher": "dpkg-matcher",
"searchedBy": {
"distro": {
"type": "debian",
"version": "11"
},
"namespace": "debian:distro:debian:11",
"package": {
"name": "tar",
"version": "1.34+dfsg-1"
}
},
"found": {
"versionConstraint": "none (deb)",
"vulnerabilityID": "CVE-2005-2541"
}
}
],
"artifact": {
"id": "6cd0f2a416ae6604",
"name": "tar",
"version": "1.34+dfsg-1",
"type": "deb",
"locations": [
{
"path": "/usr/share/doc/tar/copyright",
"layerID": "sha256:8553b91047dad45bedc292812586f1621e0a464a09a7a7c2ce6ac5f8ba2535d7"
},
{
"path": "/var/lib/dpkg/info/tar.md5sums",
"layerID": "sha256:8553b91047dad45bedc292812586f1621e0a464a09a7a7c2ce6ac5f8ba2535d7"
},
{
"path": "/var/lib/dpkg/status",
"layerID": "sha256:b224b13a335e31c152e58c87bb237b9df70c0f8684935bce865af9d2d06e3cfc"
}
],
"language": "",
"licenses": [
"GPL-2",
"GPL-3"
],
"cpes": [
"cpe:2.3🅰️tar:tar:1.34+dfsg-1:::::::*"
],
"purl": "pkg:deb/debian/[email protected]+dfsg-1?arch=amd64&distro=debian-11",
"upstreams": []
}
}
]