feat: add --vuln-severity-source flag (#8269)

docs/docs/references/configuration/cli/trivy_filesystem.md

@@ -100,6 +100,7 @@ trivy filesystem [flags] PATH
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_image.md

@@ -121,6 +121,7 @@ trivy image [flags] IMAGE_NAME
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_kubernetes.md

@@ -114,6 +114,7 @@ trivy kubernetes [flags] [CONTEXT]
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_repository.md

@@ -99,6 +99,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_rootfs.md

@@ -101,6 +101,7 @@ trivy rootfs [flags] ROOTDIR
       --trace                             enable more verbose trace output for custom queries
       --username strings                  username. Comma-separated usernames allowed.
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_sbom.md

@@ -20,59 +20,60 @@ trivy sbom [flags] SBOM_PATH
 ### Options
 
 ```
-      --cache-backend string         [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
-      --cache-ttl duration           cache TTL when using redis as cache backend
-      --compliance string            compliance report to generate
-      --custom-headers strings       custom headers in client mode
-      --db-repository strings        OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
-      --detection-priority string    specify the detection priority:
-                                       - "precise": Prioritizes precise by minimizing false positives.
-                                       - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
-                                      (precise,comprehensive) (default "precise")
-      --distro string                [EXPERIMENTAL] specify a distribution, <family>/<version>
-      --download-db-only             download/update vulnerability database but don't run a scan
-      --download-java-db-only        download/update Java index database but don't run a scan
-      --exit-code int                specify exit code when any security issues are found
-      --exit-on-eol int              exit with the specified code when the OS reaches end of service/life
-      --file-patterns strings        specify config file patterns
-  -f, --format string                format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
-  -h, --help                         help for sbom
-      --ignore-policy string         specify the Rego file path to evaluate each vulnerability
-      --ignore-status strings        comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
-      --ignore-unfixed               display only fixed vulnerabilities
-      --ignored-licenses strings     specify a list of license to ignore
-      --ignorefile string            specify .trivyignore file (default ".trivyignore")
-      --java-db-repository strings   OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
-      --list-all-pkgs                output all packages in the JSON report regardless of vulnerability
-      --no-progress                  suppress progress bar
-      --offline-scan                 do not issue API requests to identify dependencies
-  -o, --output string                output file name
-      --output-plugin-arg string     [EXPERIMENTAL] output plugin arguments
-      --password strings             password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
-      --password-stdin               password from stdin. Comma-separated passwords are not supported.
-      --pkg-relationships strings    list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
-      --pkg-types strings            list of package types (os,library) (default [os,library])
-      --redis-ca string              redis ca file location, if using redis as cache backend
-      --redis-cert string            redis certificate file location, if using redis as cache backend
-      --redis-key string             redis key file location, if using redis as cache backend
-      --redis-tls                    enable redis TLS with public certificates, if using redis as cache backend
-      --registry-token string        registry token
-      --rekor-url string             [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
-      --sbom-sources strings         [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
-      --scanners strings             comma-separated list of what security issues to detect (vuln,license) (default [vuln])
-      --server string                server address in client mode
-  -s, --severity strings             severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
-      --show-suppressed              [EXPERIMENTAL] show suppressed vulnerabilities
-      --skip-db-update               skip updating vulnerability database
-      --skip-dirs strings            specify the directories or glob patterns to skip
-      --skip-files strings           specify the files or glob patterns to skip
-      --skip-java-db-update          skip updating Java index database
-      --skip-vex-repo-update         [EXPERIMENTAL] Skip VEX Repository update
-  -t, --template string              output template
-      --token string                 for authentication in client/server mode
-      --token-header string          specify a header name for token in client/server mode (default "Trivy-Token")
-      --username strings             username. Comma-separated usernames allowed.
-      --vex strings                  [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --cache-backend string           [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "memory")
+      --cache-ttl duration             cache TTL when using redis as cache backend
+      --compliance string              compliance report to generate
+      --custom-headers strings         custom headers in client mode
+      --db-repository strings          OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
+      --detection-priority string      specify the detection priority:
+                                         - "precise": Prioritizes precise by minimizing false positives.
+                                         - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
+                                        (precise,comprehensive) (default "precise")
+      --distro string                  [EXPERIMENTAL] specify a distribution, <family>/<version>
+      --download-db-only               download/update vulnerability database but don't run a scan
+      --download-java-db-only          download/update Java index database but don't run a scan
+      --exit-code int                  specify exit code when any security issues are found
+      --exit-on-eol int                exit with the specified code when the OS reaches end of service/life
+      --file-patterns strings          specify config file patterns
+  -f, --format string                  format (table,json,template,sarif,cyclonedx,spdx,spdx-json,github,cosign-vuln) (default "table")
+  -h, --help                           help for sbom
+      --ignore-policy string           specify the Rego file path to evaluate each vulnerability
+      --ignore-status strings          comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life)
+      --ignore-unfixed                 display only fixed vulnerabilities
+      --ignored-licenses strings       specify a list of license to ignore
+      --ignorefile string              specify .trivyignore file (default ".trivyignore")
+      --java-db-repository strings     OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
+      --list-all-pkgs                  output all packages in the JSON report regardless of vulnerability
+      --no-progress                    suppress progress bar
+      --offline-scan                   do not issue API requests to identify dependencies
+  -o, --output string                  output file name
+      --output-plugin-arg string       [EXPERIMENTAL] output plugin arguments
+      --password strings               password. Comma-separated passwords allowed. TRIVY_PASSWORD should be used for security reasons.
+      --password-stdin                 password from stdin. Comma-separated passwords are not supported.
+      --pkg-relationships strings      list of package relationships (unknown,root,workspace,direct,indirect) (default [unknown,root,workspace,direct,indirect])
+      --pkg-types strings              list of package types (os,library) (default [os,library])
+      --redis-ca string                redis ca file location, if using redis as cache backend
+      --redis-cert string              redis certificate file location, if using redis as cache backend
+      --redis-key string               redis key file location, if using redis as cache backend
+      --redis-tls                      enable redis TLS with public certificates, if using redis as cache backend
+      --registry-token string          registry token
+      --rekor-url string               [EXPERIMENTAL] address of rekor STL server (default "https://rekor.sigstore.dev")
+      --sbom-sources strings           [EXPERIMENTAL] try to retrieve SBOM from the specified sources (oci,rekor)
+      --scanners strings               comma-separated list of what security issues to detect (vuln,license) (default [vuln])
+      --server string                  server address in client mode
+  -s, --severity strings               severities of security issues to be displayed (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL) (default [UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL])
+      --show-suppressed                [EXPERIMENTAL] show suppressed vulnerabilities
+      --skip-db-update                 skip updating vulnerability database
+      --skip-dirs strings              specify the directories or glob patterns to skip
+      --skip-files strings             specify the files or glob patterns to skip
+      --skip-java-db-update            skip updating Java index database
+      --skip-vex-repo-update           [EXPERIMENTAL] Skip VEX Repository update
+  -t, --template string                output template
+      --token string                   for authentication in client/server mode
+      --token-header string            specify a header name for token in client/server mode (default "Trivy-Token")
+      --username strings               username. Comma-separated usernames allowed.
+      --vex strings                    [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings   order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/cli/trivy_vm.md

@@ -86,6 +86,7 @@ trivy vm [flags] VM_IMAGE
       --token string                      for authentication in client/server mode
       --token-header string               specify a header name for token in client/server mode (default "Trivy-Token")
       --vex strings                       [EXPERIMENTAL] VEX sources ("repo", "oci" or file path)
+      --vuln-severity-source strings      order of data sources for selecting vulnerability severity level (nvd,redhat,redhat-oval,debian,ubuntu,alpine,amazon,oracle-oval,suse-cvrf,photon,arch-linux,alma,rocky,cbl-mariner,azure,ruby-advisory-db,php-security-advisories,nodejs-security-wg,ghsa,glad,aqua,osv,k8s,wolfi,chainguard,bitnami,govulndb,auto) (default [auto])
 ```
 
 ### Options inherited from parent commands

docs/docs/references/configuration/config-file.md

@@ -626,6 +626,10 @@ vulnerability:
   # Same as '--ignore-unfixed'
   ignore-unfixed: false
 
+  # Same as '--vuln-severity-source'
+  severity-source:
+   - auto
+
   # Same as '--skip-vex-repo-update'
   skip-vex-repo-update: false
 

docs/docs/scanner/vulnerability.md

@@ -345,6 +345,30 @@ However, in some cases, you may want to scan an image with a different OS versio
 Also, you may want to specify the OS version when OS is not detected.
 For these cases, Trivy supports a `--distro` flag using the `<family>/<version>` format (e.g. `alpine/3.20`) to set the desired OS version.
 
+### Severity selection
+By default, Trivy automatically detects severity (as described [here](#severity-selection)).
+But there are cases when you may want to use your own source priority. Trivy supports the `--vuln-severity-source` flag for this.
+
+Fill in a list of required sources, and Trivy will check the sources in that order until it finds an existing severity.
+If no source has the severity - Trivy will use the `UNKNOWN` severity.
+
+!!! note
+    To use the default logic in combination with your sources - use the `auto` value.
+
+Example logic for the following vendor severity levels when scanning an Alpine image:
+
+```json
+"VendorSeverity": {
+  "ghsa": 3,
+  "nvd": 4,
+}
+```
+
+- `--vuln-severity-source auto,nvd` - severity is `CRITICAL`, got from `auto`.
+- `--vuln-severity-source alpine,auto` - severity is `CRITICAL`, got from `auto`.
+- `--vuln-severity-source alpine,ghsa` - severity is `HIGH`, got from `ghsa`.
+- `--vuln-severity-source alpine,alma` - severity is `UNKNOWN`.
+
 [^1]: https://github.com/GoogleContainerTools/distroless
 
 [nvd-CVE-2023-0464]: https://nvd.nist.gov/vuln/detail/CVE-2023-0464