Vendor Severity missing for findings from Go Vulnerability Database govulndb #9671

oallauddin · 2025-10-15T20:30:30Z

oallauddin
Oct 15, 2025

Description

Pipeline we use parses cyclonedx findings. Findings that are sourced from govulndb do not have the rating for the govulndb source. Unable to determine the severity level for the source because of this. I believe the reason there is no rating is because the VendorSeverity is missing for findings from govulndb.

Desired Behavior

Have a VendorSeverity/rating entry for findings that are sourced from govulndb.

Actual Behavior

There is no VendorSeverity/rating entry for findings that are sourced from govulndb.

Reproduction Steps

Below is a shell script to generate trivy-image.json and trivy-cyclonedx.json

#!/bin/bash
TRIVY_IMAGE_COMMAND="image --cache-dir /tmp/trivy --scanners license,vuln --format json --list-all-pkgs --output /tmp/trivy/trivy-image.json docker.io/hashicorp/terraform:latest"
export TRIVY_IMAGE_COMMAND

TRIVY_CONVERT_COMMAND="convert --cache-dir /tmp/trivy --format cyclonedx --scanners license,vuln --output /tmp/trivy/trivy-cyclonedx.json /tmp/trivy/trivy-image.json"
export TRIVY_CONVERT_COMMAND

docker run --rm -it \
   --volume /c/tmp/trivy:/tmp/trivy \
   docker.io/aquasec/trivy:latest $TRIVY_IMAGE_COMMAND

docker run --rm -it \
   --volume /c/tmp/trivy:/tmp/trivy \
   docker.io/aquasec/trivy:latest $TRIVY_CONVERT_COMMAND

Snippet from trivy-image.json. Compare CVE-2025-58058 with CVE-2025-47907.
CVE-2025-58058 is sourced from ghsa and has a VendorSeverity value of 2 for ghsa i.e. MEDIUM.
CVE-2025-47907 is sourced from govulndb and has no VendorSeverity value for govulndb.

        {
          "VulnerabilityID": "CVE-2025-58058",
          "PkgID": "github.com/ulikunitz/[email protected]",
          "PkgName": "github.com/ulikunitz/xz",
          "PkgIdentifier": {
            "PURL": "pkg:golang/github.com/ulikunitz/[email protected]",
            "UID": "7d888a458e19196a"
          },
          "InstalledVersion": "v0.5.10",
          "FixedVersion": "0.5.15",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:fd5975e7a295460d8a4b3761897f056a424990b8c6d2a5718ca7dc088f80bc50",
            "DiffID": "sha256:6cebf11f9ab6065bae4d570cdcb45eb101bb9afcec48facc7c8e1029bc2b2989"
          },
          "SeveritySource": "ghsa",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-58058",
          "DataSource": {
            "ID": "ghsa",
            "Name": "GitHub Security Advisory Go",
            "URL": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
          },
          "Title": "github.com/ulikunitz/xz: github.com/ulikunitz/xz leaks memory",
          "Description": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
          "Severity": "MEDIUM",
          "CweIDs": [
            "CWE-770"
          ],
          "VendorSeverity": {
            "cbl-mariner": 2,
            "ghsa": 2,
            "redhat": 2
          },
          "CVSS": {
            "ghsa": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
              "V3Score": 5.3
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2025-58058",
            "https://github.com/ulikunitz/xz",
            "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2",
            "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9",
            "https://nvd.nist.gov/vuln/detail/CVE-2025-58058",
            "https://www.cve.org/CVERecord?id=CVE-2025-58058"
          ],
          "PublishedDate": "2025-08-28T22:15:32.577Z",
          "LastModifiedDate": "2025-08-29T16:24:29.73Z"
        },
        {
          "VulnerabilityID": "CVE-2025-47907",
          "PkgID": "[email protected]",
          "PkgName": "stdlib",
          "PkgIdentifier": {
            "PURL": "pkg:golang/[email protected]",
            "UID": "1ec3c2315149465c"
          },
          "InstalledVersion": "v1.24.5",
          "FixedVersion": "1.23.12, 1.24.6",
          "Status": "fixed",
          "Layer": {
            "Digest": "sha256:fd5975e7a295460d8a4b3761897f056a424990b8c6d2a5718ca7dc088f80bc50",
            "DiffID": "sha256:6cebf11f9ab6065bae4d570cdcb45eb101bb9afcec48facc7c8e1029bc2b2989"
          },
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2025-47907",
          "DataSource": {
            "ID": "govulndb",
            "Name": "The Go Vulnerability Database",
            "URL": "https://pkg.go.dev/vuln/"
          },
          "Title": "database/sql: Postgres Scan Race Condition",
          "Description": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.",
          "Severity": "HIGH",
          "VendorSeverity": {
            "amazon": 3,
            "azure": 3,
            "bitnami": 3,
            "cbl-mariner": 3,
            "redhat": 2
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "V3Score": 7
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "V3Score": 7
            }
          },
          "References": [
            "https://access.redhat.com/security/cve/CVE-2025-47907",
            "https://go.dev/cl/693735",
            "https://go.dev/issue/74831",
            "https://groups.google.com/g/golang-announce/c/x5MKroML2yM",
            "https://nvd.nist.gov/vuln/detail/CVE-2025-47907",
            "https://pkg.go.dev/vuln/GO-2025-3849",
            "https://www.cve.org/CVERecord?id=CVE-2025-47907"
          ],
          "PublishedDate": "2025-08-07T16:15:30.357Z",
          "LastModifiedDate": "2025-08-07T21:26:37.453Z"
        },

Snippet from trivy-cyclonedx.json. Compare CVE-2025-58058 with CVE-2025-47907. I believe when the file is converted to cyclonedx format VendorSeverity is used to generate the ratings. Since CVE-2025-47907 has no VendorSeverity for the govulndb source, no rating is generated in the cylconedx format.

    {
      "id": "CVE-2025-58058",
      "source": {
        "name": "ghsa",
        "url": "https://github.com/advisories?query=type%3Areviewed+ecosystem%3Ago"
      },
      "ratings": [
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "medium"
        },
        {
          "source": {
            "name": "ghsa"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 5.3,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
        }
      ],
      "cwes": [
        770
      ],
      "description": "xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.",
      "recommendation": "Upgrade github.com/ulikunitz/xz to version 0.5.15",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-58058"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-58058"
        },
        {
          "url": "https://github.com/ulikunitz/xz"
        },
        {
          "url": "https://github.com/ulikunitz/xz/commit/88ddf1d0d98d688db65de034f48960b2760d2ae2"
        },
        {
          "url": "https://github.com/ulikunitz/xz/security/advisories/GHSA-jc7w-c686-c4v9"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58058"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-58058"
        }
      ],
      "published": "2025-08-28T22:15:32+00:00",
      "updated": "2025-08-29T16:24:29+00:00",
      "affects": [
        {
          "ref": "pkg:golang/github.com/ulikunitz/[email protected]",
          "versions": [
            {
              "version": "v0.5.10",
              "status": "affected"
            }
          ]
        }
      ]
    },
    {
      "id": "CVE-2025-47907",
      "source": {
        "name": "govulndb",
        "url": "https://pkg.go.dev/vuln/"
      },
      "ratings": [
        {
          "source": {
            "name": "amazon"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "azure"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "bitnami"
          },
          "score": 7,
          "severity": "high",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"
        },
        {
          "source": {
            "name": "cbl-mariner"
          },
          "severity": "high"
        },
        {
          "source": {
            "name": "redhat"
          },
          "score": 7,
          "severity": "medium",
          "method": "CVSSv31",
          "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L"
        }
      ],
      "description": "Cancelling a query (e.g. by cancelling the context passed to one of the query methods) during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.",
      "recommendation": "Upgrade stdlib to version 1.23.12, 1.24.6",
      "advisories": [
        {
          "url": "https://avd.aquasec.com/nvd/cve-2025-47907"
        },
        {
          "url": "https://access.redhat.com/security/cve/CVE-2025-47907"
        },
        {
          "url": "https://go.dev/cl/693735"
        },
        {
          "url": "https://go.dev/issue/74831"
        },
        {
          "url": "https://groups.google.com/g/golang-announce/c/x5MKroML2yM"
        },
        {
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-47907"
        },
        {
          "url": "https://pkg.go.dev/vuln/GO-2025-3849"
        },
        {
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-47907"
        }
      ],
      "published": "2025-08-07T16:15:30+00:00",
      "updated": "2025-08-07T21:26:37+00:00",
      "affects": [
        {
          "ref": "pkg:golang/[email protected]",
          "versions": [
            {
              "version": "v1.24.5",
              "status": "affected"
            }
          ]
        }
      ]
    }

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

2025-10-15T20:28:06Z    DEBUG   No plugins loaded
2025-10-15T20:28:06Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-15T20:28:06Z    DEBUG   Cache dir       dir="/tmp/trivy"
2025-10-15T20:28:06Z    DEBUG   Cache dir       dir="/tmp/trivy"
2025-10-15T20:28:06Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-15T20:28:06Z    DEBUG   Ignore statuses statuses=[]
2025-10-15T20:28:06Z    DEBUG   DB update was skipped because the local DB is the latest
2025-10-15T20:28:06Z    DEBUG   DB info schema=2 updated_at=2025-10-15T12:34:22.613175611Z next_update=2025-10-16T12:34:22.61317536Z downloaded_at=2025-10-15T18:21:49.037320858Z
2025-10-15T20:28:06Z    DEBUG   [notification] Running version check
2025-10-15T20:28:06Z    DEBUG   [pkg] Package types     types=[os library]
2025-10-15T20:28:06Z    DEBUG   [pkg] Package relationships     relationships=[unknown root workspace direct indirect]
2025-10-15T20:28:06Z    INFO    [vuln] Vulnerability scanning is enabled
2025-10-15T20:28:06Z    INFO    [license] License scanning is enabled
2025-10-15T20:28:06Z    DEBUG   Initializing scan cache...      type="fs"
2025-10-15T20:28:07Z    DEBUG   [notification] Version check completed  latest_version="0.67.2"
2025-10-15T20:28:08Z    DEBUG   [image] Image found     image="docker.io/hashicorp/terraform:latest" source="remote"
2025-10-15T20:28:08Z    DEBUG   Created process-specific temp directory path="/tmp/trivy-1"
2025-10-15T20:28:08Z    DEBUG   [image] Detected image ID       image_id="sha256:82e63b0e94116552579f80bee839d55d34131e1fb65f7446c402409f7a3c1d78"
2025-10-15T20:28:08Z    DEBUG   [image] Detected diff ID        diff_ids=[sha256:256f393e029fa2063d8c93720da36a74a032bed3355a2bc3e313ad12f8bde9d1 sha256:fcb358dbf39f82c22ebe9c0dae15f1e73b28578880fa743630c9f9347534a248 sha256:3af73ac43bbfe458728df6e2ea88876377c45fef9287a6b091864666054ea2e0 sha256:6cebf11f9ab6065bae4d570cdcb45eb101bb9afcec48facc7c8e1029bc2b2989]
2025-10-15T20:28:08Z    DEBUG   [image] Detected base layers    diff_ids=[sha256:256f393e029fa2063d8c93720da36a74a032bed3355a2bc3e313ad12f8bde9d1]
2025-10-15T20:28:08Z    INFO    Detected OS     family="alpine" version="3.22.2"
2025-10-15T20:28:08Z    INFO    [alpine] Detecting vulnerabilities...   os_version="3.22" repository="3.22" pkg_num=39
2025-10-15T20:28:08Z    INFO    Number of language-specific files       num=1
2025-10-15T20:28:08Z    INFO    [gobinary] Detecting vulnerabilities...
2025-10-15T20:28:08Z    DEBUG   [gobinary] Scanning packages for vulnerabilities        file_path="bin/terraform"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="github.com/hashicorp/terraform"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/azure"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/consul"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/cos"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/gcs"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/kubernetes"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/oci"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/oss"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/pg"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/backend/remote-state/s3"
2025-10-15T20:28:08Z    DEBUG   [gobinary] Skipping vulnerability scan as no version is detected for the package        name="./internal/legacy"
2025-10-15T20:28:08Z    WARN    Using severities from other vendors for some vulnerabilities. Read https://trivy.dev/v0.67/docs/scanner/vulnerability#severity-selection for details.
2025-10-15T20:28:08Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-10-15T20:28:08Z    DEBUG   [vex] VEX filtering is disabled
2025-10-15T20:28:08Z    DEBUG   Cleaning up temp directory      path="/tmp/trivy-1"
2025-10-15T20:28:09Z    DEBUG   No plugins loaded
2025-10-15T20:28:09Z    DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2025-10-15T20:28:09Z    DEBUG   Cache dir       dir="/tmp/trivy"
2025-10-15T20:28:09Z    DEBUG   Cache dir       dir="/tmp/trivy"
2025-10-15T20:28:09Z    DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-10-15T20:28:09Z    DEBUG   Specified ignore file does not exist    file=".trivyignore"
2025-10-15T20:28:09Z    DEBUG   [vex] VEX filtering is disabled
2025-10-15T20:28:09Z    DEBUG   [convert] Writing report to output...

Operating System

Linux

Version

Version: 0.67.2

Checklist

Run trivy clean --all
Read the troubleshooting

DmitriyLewen · 2025-10-16T06:16:40Z

DmitriyLewen
Oct 16, 2025
Maintainer

Hello @oallauddin
Thanks for your interest to Trivy.

govulndb doesn’t have a severity field in its advisories.
For example: https://github.com/golang/vulndb/blob/7159bc701084145cabeab63e26393233cb11ff43/data/cve/v5/GO-2025-3849.json

That’s why VendorSeverity doesn’t include any severity for govulndb.

Regards, Dmitriy

2 replies

oallauddin Oct 16, 2025
Author

@DmitriyLewen
Thanks for getting back to me. A few questions.

Looking at this doc for Severity Selection. https://trivy.dev/latest/docs/scanner/vulnerability/#severity-selection
If the data source does not provide a severity, the severity is determined based on the CVSS score.
I am seeing two CVSS scores for CVE-2025-47907.
How is the HIGH determined?

I think the logic is somewhere here https://github.com/aquasecurity/trivy/blob/main/pkg/vulnerability/vulnerability.go#L149.
Looking over the code. Using default behavior of auto severity sources. The primary severity source i.e. govulndb has no severity. It attempts to use the NVD severity but there is none. It then uses the score from the first vendor in the list i.e. bitnami in my example. Is this accurate?

          "Severity": "HIGH",
          "VendorSeverity": {
            "amazon": 3,
            "azure": 3,
            "bitnami": 3,
            "cbl-mariner": 3,
            "redhat": 2
          },
          "CVSS": {
            "bitnami": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "V3Score": 7
            },
            "redhat": {
              "V3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L",
              "V3Score": 7
            }

Are there any other vulnerability databases that don't have a severity field i.e. would have this same issue?

DmitriyLewen Oct 17, 2025
Maintainer

Hello @oallauddin

If the data source does not provide a severity, the severity is determined based on the CVSS score.

It means this works within a single source.

In your case, the sequence will be as follows:
1. severity from govulndb
2. CVSS from govulndb
3. next source (e.g., NVD)
4. and so on.

Are there any other vulnerability databases that don't have a severity field i.e. would have this same issue?

IIRC alpine doesn't have severity.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Vendor Severity missing for findings from Go Vulnerability Database govulndb #9671

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Vendor Severity missing for findings from Go Vulnerability Database govulndb #9671

Uh oh!

Uh oh!

oallauddin Oct 15, 2025

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Operating System

Version

Checklist

Replies: 1 comment · 2 replies

Uh oh!

DmitriyLewen Oct 16, 2025 Maintainer

Uh oh!

Uh oh!

oallauddin Oct 16, 2025 Author

Uh oh!

DmitriyLewen Oct 17, 2025 Maintainer

oallauddin
Oct 15, 2025

Replies: 1 comment 2 replies

DmitriyLewen
Oct 16, 2025
Maintainer

oallauddin Oct 16, 2025
Author

DmitriyLewen Oct 17, 2025
Maintainer