Skip to content

scout: add advisory prioritization #23275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

scout: add advisory prioritization #23275

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions content/manuals/scout/deep-dive/advisory-db-sources.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,27 @@ your SBOM is cross-referenced with the CVE information to detect how it affects

For more details on how image analysis works, see the [image analysis page](/manuals/scout/explore/analysis.md).

## Severity and scoring priority

Docker Scout uses two main principles when determining severity and scoring for
CVEs:

- Source priority
- CVSS version preference

For source priority, Docker Scout follows this order:

1. Vendor advisories: Scout always uses the severity and scoring data from the
source that matches the package and version. For example, Debian data for
Debian packages.

2. NIST scoring data: If the vendor doesn't provide scoring data for a CVE,
Scout falls back to NIST scoring data.

For CVSS version preference, once Scout has selected a source, it prefers CVSS
v4 over v3 when both are available, as v4 is the more modern and precise scoring
model.

## Vulnerability matching

Traditional tools often rely on broad [Common Product Enumeration (CPE)](https://en.wikipedia.org/wiki/Common_Platform_Enumeration) matching,
Expand Down