Migrate CVSS v2 to v3

[knqyf263]

aquasecurity/trivy-db#72 migrates CVSS v2 to v3. It affects the Trivy DB just after merging the PR, so you will be also affected whether you update Trivy or not. The severity score displayed as a result will change and will probably be higher than before.

Scheduled date: October 19th, 2020

Ref. #655

[knqyf263]

Merged aquasecurity/trivy-db@2131c02

[bwjohnson-ss]

I'm using trivy version: 0.48.1, and what I believe is the latest version of the db:

cat ~/.trivycache/db/metadata.json
{"Version":2,"NextUpdate":"2023-12-22T00:13:21.197816145Z","UpdatedAt":"2023-12-21T18:13:21.197816516Z","DownloadedAt":"2023-12-22T00:02:46.110634Z"}

But trivy is detecting severities for what I believe to be be using CVSS V2 instead of using CVSS V3.

Here's an example: CVE-2022-25235: https://avd.aquasec.com/nvd/2022/cve-2022-25235/

Am I doing something wrong, or need to update something? Any help would be much appreciated. Thanks.

[DmitriyLewen]

Hello @bwjohnson-ss
Can you share Trivy report in json format, please?

[bwjohnson-ss]

Sure, here's a truncated version of the JSON: https://gist.github.com/bwjohnson-ss/38719b098ca26e522b6e770362af6d7b

Let me know if you need more.

[DmitriyLewen]

Trivy took severity from Ubuntu advisory - https://ubuntu.com/security/CVE-2022-25235
You can see this in SeveritySource field - "SeveritySource": "ubuntu",.