Skip to content

fix(vuln): save package-specific severity before severity selection#10300

Open
DmitriyLewen wants to merge 17 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/vuln/pkg-specific-severity-selection
Open

fix(vuln): save package-specific severity before severity selection#10300
DmitriyLewen wants to merge 17 commits intoaquasecurity:mainfrom
DmitriyLewen:fix/vuln/pkg-specific-severity-selection

Conversation

@DmitriyLewen
Copy link
Copy Markdown
Contributor

@DmitriyLewen DmitriyLewen commented Mar 3, 2026
edited
Loading

Description

Refactored vulnerability severity processing logic to fix package-specific severity handling. The changes move the package-specific severity processing earlier in the flow and ensure vendor severities are properly stored before the main severity selection logic runs.

Found mistakes

RedHat vulnerabilities don't have DataSource and use incorrect SeveritySource (redhat instead of redhat-oval.
This PR fixes these mistakes, updates tests and improves severity selection logic for redhat.

Reason

The original code had a logical issue where package-specific severity handling was interfering with the main severity selection process. When a vulnerability had a SeveritySource set (indicating package-specific severity), the code was overriding the selected severity and source, but this happened after the main severity selection logic had already run.

Benefits

  • Correct vendor severity storage: Package-specific severities are now properly stored in VendorSeverity map before main processing
  • Improved severity selection: Main severity selection logic (getSeverity) now runs with complete vendor severity data available
  • Better separation of concerns: Package-specific severity handling is now clearly separated from main severity selection
  • Preserved existing behavior: All existing functionality is maintained while fixing the logical flow issue

Examples:

Before:

➜  trivy -q image debian -f json --vuln-severity-source nvd | grep SeveritySource | sort -u
          "SeveritySource": "debian",
          "SeveritySource": "nvd",

After:

➜  ./trivy -q image debian -f json --vuln-severity-source nvd | grep SeveritySource | sort -u
          "SeveritySource": "nvd",

Related issues

Related PRs

Checklist

  • I've read the guidelines for contributing to this repository.
  • I've followed the conventions in the PR title.
  • I've added tests that prove my fix is effective or that my feature works.
  • I've updated the documentation with the relevant information (if needed).
  • I've added usage information (if the PR introduces new options)
  • I've included a "before" and "after" example to the description (if the PR is a user interface change).

@DmitriyLewen
fix(vuln): save package-specific severity before severity selection
80b6579
@DmitriyLewen
fix(redhat): save DataSource + use RedHatOVAL as SeveritySource
c042573
@DmitriyLewen
fix(vuln): improve auto mode for severity selection
d138af9 
- check redhat source for redhat-oval
@DmitriyLewen
test(vuln): update integration tests
b73890f
@DmitriyLewen
test(detector): fix tests
50ca798
@DmitriyLewen
Merge branch 'main' into 'fix/vuln/pkg-specific-severity-selection'
d70be11
@DmitriyLewen
Merge branch 'main' into 'fix/vuln/pkg-specific-severity-selection'
64e0995
@DmitriyLewen
mage test:updateGolden
b885ca4
@DmitriyLewen
refactor: update severitySource + DataSource
ba6f607 
- use redhat as severity source
- overwrite datasource
@DmitriyLewen
refactor: don't use redhat-oval for severity detection
f694efb
@DmitriyLewen
test: update dataSource in tests
b273cb8
@DmitriyLewen
test(cylonedx): update redhat url
a838264
@DmitriyLewen
chore(deps): use fork with updated dataSource for redhat OVAL
3122bef
@DmitriyLewen
refactor: use datasource from trivy-db
9d345b2
@DmitriyLewen
mage docs:generate
b04fc9c
@DmitriyLewen
chore(deps): bump fork version
e9ae12b
@DmitriyLewen
Merge branch 'main' into 'fix/vuln/pkg-specific-severity-selection'
1e759a4
@DmitriyLewen DmitriyLewen requested a review from knqyf263 as a code owner March 3, 2026 11:23
@DmitriyLewen
Copy link
Copy Markdown
Contributor Author

DmitriyLewen commented Mar 3, 2026

Reopened from #9192 after recreating the fork.

@DmitriyLewen DmitriyLewen mentioned this pull request Mar 19, 2026
Open
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

This PR is stale because it has been labeled with inactivity.

@github-actions github-actions Bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label May 4, 2026
@DmitriyLewen DmitriyLewen removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and will be auto-closed. label May 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@knqyf263 knqyf263 Awaiting requested review from knqyf263 knqyf263 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(vulnerability): --vuln-severity-source doesn't work for package-specific severity (e.g. Debian)

1 participant

@DmitriyLewen