You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have set up the Trivy server as an analyzer in Dependency Track.
I realized that the severities shown in Dependency Track differ from the ones I receive when I call the Trivy server directly (trivy sbom --server http://trivy.tools.systems:4954 --scanners vuln sbom.json)
Especially the CVEs for libc6. CVE-2019-1010022 is shown as CRITICAL while a direct call results in LOW. And there are more. See the screenshot (nearly all CVEs in there result from the trivy analyzer). Dependency track version is v4.11.7
Can anyone explain this behaviour?
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
We have set up the Trivy server as an analyzer in Dependency Track.
I realized that the severities shown in Dependency Track differ from the ones I receive when I call the Trivy server directly (trivy sbom --server http://trivy.tools.systems:4954 --scanners vuln sbom.json)
Especially the CVEs for libc6. CVE-2019-1010022 is shown as CRITICAL while a direct call results in LOW. And there are more. See the screenshot (nearly all CVEs in there result from the trivy analyzer). Dependency track version is v4.11.7
Can anyone explain this behaviour?
Beta Was this translation helpful? Give feedback.
All reactions