feat: add `--vuln-severity-source` flag to customize vulnerability severity selection #8180

knqyf263 · 2024-12-26T10:56:48Z

Description

Currently, Trivy automatically selects the "best" severity among multiple data sources (NVD, GHSA, etc.) based on its internal logic. While this works well for most cases, some users have specific needs for severity selection:

Some users prefer to prioritize NVD severities
Others might want to avoid GHSA severities if they consider them problematic
Different organizations might have different preferences for severity sources

To address these needs, I propose adding a new --vuln-severity-source flag that allows users to specify their preferred severity sources in order of priority.

Proposed Implementation

The flag would work as follows:

Accept multiple values in comma-separated format or repeated flags
Example: --vuln-severity-source nvd --vuln-severity-source ghsa
Process severity sources in the specified order
- If the first source has a severity, use it
- If not, try the next source
- If no sources have severity:
  - Return "unknown" as severity
  - Output a warning message: "No severity found in specified sources: [source1,source2]"
Define current behavior as auto
- Default value would be auto
- Inspired by Go Toolchains behavior
Allow fallback to auto mode
Example: --vuln-severity-source nvd,auto
- This would first check NVD, then fall back to the current automatic selection logic

Usage Examples

# Use NVD severity, fallback to GHSA
$ trivy image --vuln-severity-source nvd,ghsa myimage

# Use NVD severity, fallback to automatic selection
$ trivy image --vuln-severity-source nvd,auto myimage

# Use current automatic selection (default)
$ trivy image --vuln-severity-source auto alpine:latest

# Example of warning message when no severity found
$ trivy image --vuln-severity-source nvd,ghsa alpine:latest
WARN No severity found in specified sources: [nvd,ghsa]

Benefits

Provides flexibility for organizations with specific severity source preferences
Maintains backward compatibility with current behavior

The text was updated successfully, but these errors were encountered:

knqyf263 added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 26, 2024

knqyf263 added this to the v0.60.0 milestone Dec 26, 2024

knqyf263 assigned nikpivkin Dec 26, 2024

knqyf263 added this to Trivy Roadmap Dec 26, 2024

DmitriyLewen assigned DmitriyLewen and unassigned nikpivkin Jan 9, 2025

This was referenced Jan 21, 2025

refactor: add AllSourceIDs aquasecurity/trivy-db#485

Merged

feat: add --vuln-severity-source flag #8269

Merged

knqyf263 changed the title ~~feat: add --severity-src flag to customize vulnerability severity selection~~ feat: add --severity-source flag to customize vulnerability severity selection Mar 3, 2025

knqyf263 changed the title ~~feat: add --severity-source flag to customize vulnerability severity selection~~ feat: add --vuln-severity-source flag to customize vulnerability severity selection Mar 3, 2025

DmitriyLewen closed this as completed in #8269 Mar 3, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add `--vuln-severity-source` flag to customize vulnerability severity selection #8180

feat: add `--vuln-severity-source` flag to customize vulnerability severity selection #8180