docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #18865 from dvdksn/scout-vuln-severities 

scout: describe cve severity categorization
This commit is contained in:
David Karlsson 2024-01-17 19:18:13 +01:00 committed by GitHub
parent 7064a49f06 5847964bc3
commit a96864c974
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 39 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
content/scout/image-analysis.md
View File

@ -202,3 +202,42 @@ reference documentation:
- [`docker scout quickview`](../engine/reference/commandline/scout_quickview.md)
- [`docker scout cves`](../engine/reference/commandline/scout_cves.md)
## Vulnerability severity assessment
Docker Scout assigns a severity rating to vulnerabilities based on
vulnerability data from [advisory sources](./advisory-db-sources.md).
Advisories are ranked and prioritized depending on the type of package that's
affected by a vulnerability. For example, if a vulnerability affects an OS
package, the severity level assigned by the distribution maintainer is
prioritized.
If the preferred advisory source has assigned a severity rating to a CVE, but
not a CVSS score, Docker Scout falls back to displaying a CVSS score from
another source. The severity rating from the preferred advisory and the CVSS
score from the fallback advisory are displayed together. This means a
vulnerability can have a severity rating of `LOW` with a CVSS score of 9.8, if
the preferred advisory assigns a `LOW` rating but no CVSS score, and a fallback
advisory assigns a CVSS score of 9.8.
Vulnerabilities that haven't been assigned a CVSS score in any source are
categorized as **Unspecified** (U).
Docker Scout doesn't implement a proprietary vulnerability metrics system. All
metrics are inherited from security advisories that Docker Scout integrates
with. Advisories may use different thresholds for classifying vulnerabilities,
but most of them adhere to the CVSS v3.0 specification, which maps CVSS scores
to severity ratings according to the following table:
| CVSS score | Severity rating |
| ---------- | ---------------- |
| 0.1 3.9 | **Low** (L) |
| 4.0 6.9 | **Medium** (M) |
| 7.0 8.9 | **High** (H) |
| 9.0 10.0 | **Critical** (C) |
For more information, see [Vulnerability Metrics (NIST)](https://nvd.nist.gov/vuln-metrics/cvss).
Note that, given the advisory prioritization and fallback mechanism described
earlier, severity ratings displayed in Docker Scout may deviate from this
rating system.