empty score with related vulnerabilities #734
Labels
Comments
This was referenced Apr 25, 2022
|
I don't think this is a bug. If you look at "vulnerability" and "relatedVulnerabilities" they are two different data sources. The "vulnerability" data comes from Alpine. Alpine does not include CVSS scores but they do include severity for example. The "relatedVulnerabilities" is coming from NVD and includes the CVSS score because NVD includes this data. |
|
Hi @seidkevi, we are going to go ahead and close this issue. Please let us know if you need anything else. Thanks! |
wagoodman
added
the
changelog-ignore
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What happened:
vulnerabilities do not have a score if there is a related vul. (maybe only if the ids match)
alpine3.10.7_vulreport.zip
here an extract of the report:
{"matches": [ { "vulnerability": { "id": "CVE-2021-28831", "dataSource": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831", "namespace": "alpine:3.10", "severity": "High", "urls": [ "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28831" ], "cvss": [], "fix": { "versions": [ "1.30.1-r5" ], "state": "fixed" }, "advisories": [] }, "relatedVulnerabilities": [ { "id": "CVE-2021-28831", "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2021-28831", "namespace": "nvd", "severity": "High", "urls": [ "https://git.busybox.net/busybox/commit/?id=f25d254dfd4243698c31a4f3153d4ac72aa9e9bd", ], "description": "decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.", "cvss": [ { "version": "2.0", "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "metrics": { "baseScore": 5, "exploitabilityScore": 10, "impactScore": 2.9 }, "vendorMetadata": {} }, { "version": "3.1", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "metrics": { "baseScore": 7.5, "exploitabilityScore": 3.9, "impactScore": 3.6 }, "vendorMetadata": {} } ] } ], "matchDetails": [ ... ], "artifact": { ... } } ]}What you expected to happen:
the "root" vulnerability to have the proper score
How to reproduce it (as minimally and precisely as possible):
currently we see it when scanning
alpine:3.10.7Anything else we need to know?:
Environment:
grype version:v0.35.0cat /etc/os-releaseor similar): reproduced on Z/OS :) and Ubuntu 20.04/amd64The text was updated successfully, but these errors were encountered: