--vuln-severity-source not working as expected #9803

wlfgang · 2025-11-15T12:30:03Z

wlfgang
Nov 15, 2025

Description

The --vuln-severity-source option does not seem to be working as documented. As an example, if I provide nvd as the only source, CLI table output gives severities from the debian source rather than the NVD CVSS score. JSON output shows the correct severities are found for both sources, but that of debian overrides nvd.

Desired Behavior

The severity level listed in the table and JSON output should come from the first source with a matching CVE record according to the priority list specified.

Actual Behavior

In my example, it appears that the auto setting may be getting used instead of the value I provided (nvd). See example below.

Reproduction Steps

1. `trivy image --vuln-severity-source nvd gcr.io/distroless/java21-debian12`
2. Note CVE-2018-20796 is shown as LOW
3. Refer to https://nvd.nist.gov/vuln/detail/CVE-2018-20796 - it is scored as 7.5 HIGH
4. `trivy image --vuln-severity-source nvd -f json -o out.json gcr.io/distroless/java21-debian12`
5. In the JSON report, `DataSource = debian,` and `VendorSeverity` looks lie:

          "VendorSeverity": {
            "cbl-mariner": 3,
            "debian": 1,
            "nvd": 3,
            "redhat": 2
          },
...

Target

Container Image

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy image --vuln-severity-source nvd gcr.io/distroless/java21-debian12 --debug
2025-11-15T07:21:50-05:00       DEBUG   No plugins loaded
2025-11-15T07:21:50-05:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-11-15T07:21:50-05:00       DEBUG   Cache dir       dir="/home/dan/.cache/trivy"
2025-11-15T07:21:50-05:00       DEBUG   Cache dir       dir="/home/dan/.cache/trivy"
2025-11-15T07:21:50-05:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-11-15T07:21:50-05:00       DEBUG   Ignore statuses statuses=[]
2025-11-15T07:21:50-05:00       DEBUG   DB update was skipped because the local DB is the latest
2025-11-15T07:21:50-05:00       DEBUG   DB info schema=2 updated_at=2025-11-15T06:30:55.616745206Z next_update=2025-11-16T06:30:55.616744925Z downloaded_at=2025-11-15T11:22:15.493127369Z
2025-11-15T07:21:50-05:00       DEBUG   [pkg] Package types     types=[os library]
2025-11-15T07:21:50-05:00       DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-11-15T07:21:50-05:00       INFO    [vuln] Vulnerability scanning is enabled
2025-11-15T07:21:50-05:00       INFO    [secret] Secret scanning is enabled
2025-11-15T07:21:50-05:00       INFO    [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-11-15T07:21:50-05:00       INFO    [secret] Please see https://trivy.dev/v0.67/docs/scanner/secret#recommendation for faster secret detection
2025-11-15T07:21:50-05:00       DEBUG   Initializing scan cache...      type="fs"
2025-11-15T07:21:50-05:00       DEBUG   [notification] Running version check
2025-11-15T07:21:50-05:00       DEBUG   [notification] Version check completed  latest_version="0.67.2"
2025-11-15T07:21:51-05:00       DEBUG   [image] Image found     image="gcr.io/distroless/java21-debian12" source="remote"
2025-11-15T07:21:51-05:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-11-15T07:21:51-05:00       DEBUG   [secret] No secret config detected      config_path="trivy-secret.yaml"
2025-11-15T07:21:51-05:00       DEBUG   Created process-specific temp directory path="/tmp/trivy-1535692"
2025-11-15T07:21:51-05:00       DEBUG   [image] Detected image ID       image_id="sha256:55bffb815061542cc49eed17c814ce5c9ee9a74ea961ca8a71952b78a148c5b8"
2025-11-15T07:21:51-05:00       DEBUG   [image] Detected diff ID        diff_ids=[sha256:bff7f7a9d44356d8784500366094c66399aa6a2edd990cc70e02e27c84402753 sha256:8fa10c0194df9b7c054c90dbe482585f768a54428fc90a5b78a0066a123b1bba sha256:4840c7c54023c867f19564429c89ddae4e9589c83dce82492183a7e9f7dab1fa sha256:114dde0fefebbca13165d0da9c500a66190e497a82a53dcaabc3172d630be1e9 sha256:4d049f83d9cf21d1f5cc0e11deaf36df02790d0e60c1a3829538fb4b61685368 sha256:af5aa97ebe6ce1604747ec1e21af7136ded391bcabe4acef882e718a87c86bcc sha256:6f1cdceb6a3146f0ccb986521156bef8a422cdbb0863396f7f751f575ba308f4 sha256:bbb6cacb8c82e4da4e8143e03351e939eab5e21ce0ef333c42e637af86c5217b sha256:2a92d6ac9e4fcc274d5168b217ca4458a9fec6f094ead68d99c77073f08caac1 sha256:1a73b54f556b477f0a8b939d13c504a3b4f4db71f7a09c63afbc10acb3de5849 sha256:f4aee9e53c42a22ed82451218c3ea03d1eea8d6ca8fbe8eb4e950304ba8a8bb3 sha256:bfe9137a1b044e8097cdfcb6899137a8a984ed70931ed1e8ef0cf7e023a139fc sha256:bd29502adf199ad9c03afba9bc79df572a26ec60a2a6ffdda4883a5b7a1632fe sha256:b47d9619ecfbb803f4b834cf89ba8d0c7014df1f2a4463f4a894dc7eb2911868 sha256:67f4ba12da59cfe5255fbe4af7050312dbaff09cb09374f30d4ec07f7438e171 sha256:afd09813d6dc137a9b06760116d9c48bc74ad70af38c86df103b66965c1dfc01 sha256:e006ca56124cc080ad17cd9c33c87b999b17dab1939d1cac64728a95fcb47ebc sha256:af71566f208dec3827a20a851365d3239f28e117851f09a32d8aabc32f7c8d8c sha256:fe8a0ee1474a5998c4f9ca1fbd10013efc067ca24f7f0b1fc904c13ef026cbda sha256:c3e70ac51b35c50b1a76bb423932218a9782a3e9ba390664a41c94ba3ad4d1ed sha256:062ba71b976915c9f73f7569c71b5844c2bc6915b258c4743e01dbfb66a02b0c sha256:1230ca28c337e605fa5b7910feb96c299b50ebd69f7feedb6143909b14f6ee52 sha256:437e5b9a0e64cda5620df9126cd6b649fe864ecf5f0d181310e430a4db7077ab sha256:1ca5d6162237e422b40e38cf8c2dbc5430eac27133458f62d7762c8700e8b856 sha256:6819a1af097df543d58dc30b51f737e55f3f42a9a04e641f175834a55bf0629c sha256:c3abae442368dc447f15c468933843c361f227f5d87b2bb86515b49f40583ed9 sha256:7095412417d2dce289b77f7a8c632a07c82b707fe43cfef7368c3b65c8d2538a sha256:c73675af00ab54d7aa496e9eca3831823ff66d908689a6c074af640c87854a7d sha256:e9a95f5614670ecd50944390e30e5630b749a37bf55dfa4e92c35a02bf3de96f sha256:64928cd414e6671989acf2a9f040f712a4e769881d5e5f9594ad65224f2bc272]
2025-11-15T07:21:51-05:00       DEBUG   [image] Detected base layers    diff_ids=[]
2025-11-15T07:21:51-05:00       INFO    Detected OS     family="debian" version="12.12"
2025-11-15T07:21:51-05:00       INFO    [debian] Detecting vulnerabilities...   os_version="12" pkg_num=20
2025-11-15T07:21:51-05:00       INFO    Number of language-specific files       num=0
2025-11-15T07:21:51-05:00       WARN    No severity found in specified sources  vulnerability-ids=[CVE-2025-59375 CVE-2025-29070] severity-sources=[nvd]
2025-11-15T07:21:51-05:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-11-15T07:21:51-05:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌──────────────────────────────────────────────────┬────────┬─────────────────┬─────────┐
│                      Target                      │  Type  │ Vulnerabilities │ Secrets │
├──────────────────────────────────────────────────┼────────┼─────────────────┼─────────┤
│ gcr.io/distroless/java21-debian12 (debian 12.12) │ debian │       17        │    -    │
└──────────────────────────────────────────────────┴────────┴─────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


gcr.io/distroless/java21-debian12 (debian 12.12)

Total: 17 (UNKNOWN: 1, LOW: 15, MEDIUM: 0, HIGH: 0, CRITICAL: 1)

┌─────────────┬──────────────────┬──────────┬──────────────┬───────────────────┬───────────────┬─────────────────────────────────────────────────────────────┐
│   Library   │  Vulnerability   │ Severity │    Status    │ Installed Version │ Fixed Version │                            Title                            │
├─────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ gcc-12-base │ CVE-2022-27943   │ LOW      │ affected     │ 12.2.0-14+deb12u1 │               │ binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows  │
│             │                  │          │              │                   │               │ stack exhaustion in demangle_const                          │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2022-27943                  │
├─────────────┼──────────────────┤          │              ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libc6       │ CVE-2010-4756    │          │              │ 2.36-9+deb12u13   │               │ glibc: glob implementation can cause excessive CPU and      │
│             │                  │          │              │                   │               │ memory consumption due to...                                │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2010-4756                   │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2018-20796   │          │              │                   │               │ glibc: uncontrolled recursion in function                   │
│             │                  │          │              │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2018-20796                  │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2019-1010022 │          │              │                   │               │ glibc: stack guard protection bypass                        │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010022                │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2019-1010023 │          │              │                   │               │ glibc: running ldd on malicious ELF leads to code execution │
│             │                  │          │              │                   │               │ because of...                                               │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010023                │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2019-1010024 │          │              │                   │               │ glibc: ASLR bypass using cache of thread stack and heap     │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010024                │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2019-1010025 │          │              │                   │               │ glibc: information disclosure of heap addresses of          │
│             │                  │          │              │                   │               │ pthread_created thread                                      │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2019-1010025                │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2019-9192    │          │              │                   │               │ glibc: uncontrolled recursion in function                   │
│             │                  │          │              │                   │               │ check_dst_limits_calc_pos_1 in posix/regexec.c              │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2019-9192                   │
├─────────────┼──────────────────┤          │              ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libexpat1   │ CVE-2023-52426   │          │              │ 2.5.0-1+deb12u2   │               │ expat: recursive XML entity expansion vulnerability         │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2023-52426                  │
│             ├──────────────────┤          │              │                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2024-28757   │          │              │                   │               │ expat: XML Entity Expansion                                 │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2024-28757                  │
│             ├──────────────────┼──────────┼──────────────┤                   ├───────────────┼─────────────────────────────────────────────────────────────┤
│             │ CVE-2025-59375   │ UNKNOWN  │ will_not_fix │                   │               │ expat: libexpat in Expat allows attackers to trigger large  │
│             │                  │          │              │                   │               │ dynamic memory allocations...                               │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2025-59375                  │
├─────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libgcc-s1   │ CVE-2022-27943   │ LOW      │ affected     │ 12.2.0-14+deb12u1 │               │ binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows  │
│             │                  │          │              │                   │               │ stack exhaustion in demangle_const                          │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2022-27943                  │
├─────────────┼──────────────────┤          │              ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ liblcms2-2  │ CVE-2025-29070   │          │              │ 2.14-2            │               │ A heap buffer overflow vulnerability has been identified in │
│             │                  │          │              │                   │               │ thesmooth2 ...                                              │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2025-29070                  │
├─────────────┼──────────────────┤          │              ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libpng16-16 │ CVE-2021-4214    │          │              │ 1.6.39-2          │               │ libpng: hardcoded value leads to heap-overflow              │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2021-4214                   │
├─────────────┼──────────────────┤          │              ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libstdc++6  │ CVE-2022-27943   │          │              │ 12.2.0-14+deb12u1 │               │ binutils: libiberty/rust-demangle.c in GNU GCC 11.2 allows  │
│             │                  │          │              │                   │               │ stack exhaustion in demangle_const                          │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2022-27943                  │
├─────────────┼──────────────────┤          │              ├───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ libuuid1    │ CVE-2022-0563    │          │              │ 2.38.1-5+deb12u3  │               │ util-linux: partial disclosure of arbitrary files in chfn   │
│             │                  │          │              │                   │               │ and chsh when compiled...                                   │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2022-0563                   │
├─────────────┼──────────────────┼──────────┼──────────────┼───────────────────┼───────────────┼─────────────────────────────────────────────────────────────┤
│ zlib1g      │ CVE-2023-45853   │ CRITICAL │ will_not_fix │ 1:1.2.13.dfsg-1   │               │ zlib: integer overflow and resultant heap-based buffer      │
│             │                  │          │              │                   │               │ overflow in zipOpenNewFileInZip4_6                          │
│             │                  │          │              │                   │               │ https://avd.aquasec.com/nvd/cve-2023-45853                  │
└─────────────┴──────────────────┴──────────┴──────────────┴───────────────────┴───────────────┴─────────────────────────────────────────────────────────────┘
2025-11-15T07:21:51-05:00       DEBUG   Cleaning up temp directory      path="/tmp/trivy-1535692"

Operating System

Linux

Version

Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-11-15 06:30:55.616745206 +0000 UTC
  NextUpdate: 2025-11-16 06:30:55.616744925 +0000 UTC
  DownloadedAt: 2025-11-15 11:22:15.493127369 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-11-10 00:58:36.121246118 +0000 UTC
  NextUpdate: 2025-11-13 00:58:36.121245917 +0000 UTC
  DownloadedAt: 2025-11-10 14:18:52.975705854 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-11-17T06:12:04Z

DmitriyLewen
Nov 17, 2025
Maintainer

duplicate of #9191

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

--vuln-severity-source not working as expected #9803

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

--vuln-severity-source not working as expected #9803

Uh oh!

wlfgang Nov 15, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment

Uh oh!

Uh oh!

DmitriyLewen Nov 17, 2025 Maintainer

wlfgang
Nov 15, 2025

DmitriyLewen
Nov 17, 2025
Maintainer