Function getSeverity will always return severity out of CvssV2

[GalDevel]

Hello,

While using Trivy, I noticed in a problem in the severity I was getting.
Looking at CVE-2017-0817, Trivy reported the severity as MEDIUM.
But when looking at NIST, the CvssV3 severity is HIGH, while the old CvssV2 severity is MEDIUM.

This led me to believe that there is a bug in Trivy while composing the vulnerability, after looking at the code and at the CVEs from NVD I found the following:

• In the function getSeverity in vulnerability.go - you can clearly see that case d.CvssScore > 0: will always occur.
  NIST started using CvssV3 around ~2015, but they also keep using CvssV2.
• Function getVendorSeverity in vulnerability.go - seems to also suffer this issue.
• Trivy CVE-2017-0817
  NIST CVE-2017-0817

I would love to hear from you regarding this PR.

Best,
Gal.

[knqyf263]

Trivy prioritizes CVSSv2 on purpose. I think CVSSv3 always scores too high. But there is room for further consideration. If many users prefer CVSSv3, we can switch it. cc: @lizrice and @simar7

[simar7]

Trivy prioritizes CVSSv2 on purpose. I think CVSSv3 always scores too high. But there is room for further consideration. If many users prefer CVSSv3, we can switch it. cc: @lizrice and @simar7

My vote would be CVSSv3 as well. At the time of writing that code we still preferred to go with V2 as we didn't have enough data points of user input. But as you can see from these 100+ data points of user input on this poll by @lizrice V3 is more preferred.

[lizrice]

Agreed, let's move to v3

[stevegileno]

Once there is a projected timeframe for completing the move to v3, that would be great to know. Thank you @lizrice !

[simar7]

This lgtm! @knqyf263 would you like to have another look?

[simar7]

ping @knqyf263 :)

[knqyf263]

I announced the migration. This PR affects Trivy DB just after being merged, so we're planning to merge this PR on October 19th.
aquasecurity/trivy#678