Trivy reports vulnerability with HIGH but the in the site is MEDIUM

[echalegre]

Description

When I execute a trivy image to scanner a image, trivy list all vulnerabilities from image.
But some vulnerabilities are marked with one severity and when I enter the site the severity is another.

Desired Behavior

Vulnerability on CLI and Site (https://avd.aquasec.com/nvd/) is equal

Actual Behavior

Vulnerabilities is no equal

Reproduction Steps

1. trivy image payable-loader --pkg-types library --severity CRITICAL,HIGH --scanners vuln --report summary

Target

None

Scanner

None

Output Format

None

Mode

None

Debug Output

com.amazonaws:aws-java-sdk-s3 (app.jar) │ CVE-2022-31159 | HIGH │  1.11.125 │ 1.12.261 | Partial Path Traversal in com.amazonaws:aws-java-sdk-s3 | https://avd.aquasec.com/nvd/cve-2022-31159

If you open https://avd.aquasec.com/nvd/cve-2022-31159, this vuln is MEDIUM

Operating System

macOS Sequoia

Version

Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-08 12:18:37.112380437 +0000 UTC
  NextUpdate: 2024-11-09 12:18:37.112380057 +0000 UTC
  DownloadedAt: 2024-11-08 18:02:24.263085 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-08 02:40:01.308806198 +0000 UTC
  NextUpdate: 2024-11-11 02:40:01.308806078 +0000 UTC
  DownloadedAt: 2024-11-08 18:03:04.261125 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

hi @echalegre Trivy CLI output overrides with any vendor advisory, in this case GitHub marks this as a HIGH GHSA-c28r-hw5m-5gv3

AVD on the other hand shows the NVD score https://nvd.nist.gov/vuln/detail/cve-2022-31159 which is a MEDIUM. We also show other vendors' rating in the AVD page but at the moment GitHub isn't listed, so that's why maybe you got confused.