fix(rootio): fix severity selection (#9181)

DmitriyLewen · web-flow · commit 6fafbeb60609 · 2025-07-17T06:14:28.000Z
diff --git a/docs/docs/coverage/others/rootio.md b/docs/docs/coverage/others/rootio.md
@@ -13,6 +13,9 @@ Root.io patches are detected when Trivy finds packages with specific version suf
 When Root.io patches are detected, Trivy automatically switches to Root.io scanning mode for vulnerability detection.
 Even when the original OS distributor (Debian, Ubuntu, Alpine) has not provided a patch for a vulnerability, Trivy will display Root.io patches if they are available.
 
+!!! note
+    For vulnerabilities, Trivy uses the severity level from the original OS vendor (if the vendor has specified a severity).
+
 For detailed information about supported scanners, features, and functionality, please refer to the documentation for the underlying OS:
 
 - [Debian](../os/debian.md)
diff --git a/go.mod b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/aquasecurity/testdocker v0.0.0-20250616060700-ba6845ac6d17
 	github.com/aquasecurity/tml v0.6.1
 	github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169
-	github.com/aquasecurity/trivy-db v0.0.0-20250627124416-ca81c496a932
+	github.com/aquasecurity/trivy-db v0.0.0-20250716122853-45f09ec4df9c
 	github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48
 	github.com/aquasecurity/trivy-kubernetes v0.9.0
 	github.com/aws/aws-sdk-go-v2 v1.36.5
diff --git a/go.sum b/go.sum
@@ -829,8 +829,8 @@ github.com/aquasecurity/tml v0.6.1 h1:y2ZlGSfrhnn7t4ZJ/0rotuH+v5Jgv6BDDO5jB6A9gw
 github.com/aquasecurity/tml v0.6.1/go.mod h1:OnYMWY5lvI9ejU7yH9LCberWaaTBW7hBFsITiIMY2yY=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169 h1:TckzIxUX7lZaU9f2lNxCN0noYYP8fzmSQf6a4JdV83w=
 github.com/aquasecurity/trivy-checks v1.11.3-0.20250604022615-9a7efa7c9169/go.mod h1:nT69xgRcBD4NlHwTBpWMYirpK5/Zpl8M+XDOgmjMn2k=
-github.com/aquasecurity/trivy-db v0.0.0-20250627124416-ca81c496a932 h1:5GKQ53uGGHEEtZ/FX94jcIdfEGeyiHZ7tmJ5nCtDz5c=
-github.com/aquasecurity/trivy-db v0.0.0-20250627124416-ca81c496a932/go.mod h1:Ubl2YWA6Zg7eaojg4MDmeDdYU4+PiGPsnwo6B5UIwqw=
+github.com/aquasecurity/trivy-db v0.0.0-20250716122853-45f09ec4df9c h1:nWJKidnaCx50H0JvqzCQNr0Ew9sUO0QcnGSeDJajmvc=
+github.com/aquasecurity/trivy-db v0.0.0-20250716122853-45f09ec4df9c/go.mod h1:upAJqDQkN5FdIJbtJMpokncGNhYAPGkpoCbaGciWPt4=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48 h1:JVgBIuIYbwG+ekC5lUHUpGJboPYiCcxiz06RCtz8neI=
 github.com/aquasecurity/trivy-java-db v0.0.0-20240109071736-184bd7481d48/go.mod h1:Ldya37FLi0e/5Cjq2T5Bty7cFkzUDwTcPeQua+2M8i8=
 github.com/aquasecurity/trivy-kubernetes v0.9.0 h1:rp8RuXwKfFWUPR/ULksA2WpD0z6rslVkzLmPGQr61Wc=
diff --git a/pkg/detector/ospkg/rootio/rootio.go b/pkg/detector/ospkg/rootio/rootio.go
@@ -1,6 +1,7 @@
 package rootio
 
 import (
+	"cmp"
 	"context"
 	"strings"
 
@@ -81,7 +82,7 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 			if !s.isVulnerable(ctx, utils.FormatSrcVersion(pkg), adv) {
 				continue
 			}
-			vulns = append(vulns, types.DetectedVulnerability{
+			vuln := types.DetectedVulnerability{
 				VulnerabilityID:  adv.VulnerabilityID,
 				PkgID:            pkg.ID,
 				PkgName:          pkg.Name,
@@ -91,7 +92,20 @@ func (s *Scanner) Detect(ctx context.Context, osVer string, _ *ftypes.Repository
 				PkgIdentifier:    pkg.Identifier,
 				Custom:           adv.Custom,
 				DataSource:       adv.DataSource,
-			})
+			}
+
+			// We add the severity from the base OS, so we need to keep the severity level from the base OS (as SeveritySource).
+			if adv.Severity != dbTypes.SeverityUnknown {
+				vuln.Vulnerability = dbTypes.Vulnerability{
+					Severity: adv.Severity.String(),
+				}
+
+				// Datasource contains BaseID + ID for root.io advisories,
+				// But baseOS (e.g. Debian) advisories use ID only.
+				vuln.SeveritySource = cmp.Or(adv.DataSource.BaseID, adv.DataSource.ID)
+			}
+
+			vulns = append(vulns, vuln)
 		}
 	}
 	return vulns, nil
diff --git a/pkg/detector/ospkg/rootio/rootio_test.go b/pkg/detector/ospkg/rootio/rootio_test.go
@@ -48,13 +48,33 @@ func TestScanner_Detect(t *testing.T) {
 			want: []types.DetectedVulnerability{
 				{
 					PkgName:          "openssl",
-					VulnerabilityID:  "CVE-2024-13176",
+					VulnerabilityID:  "CVE-2024-13176", // Debian and Root.io contain this CVE
 					InstalledVersion: "3.0.15-1~deb12u1.root.io.0",
 					FixedVersion:     "3.0.15-1~deb12u1.root.io.1, 3.0.16-1~deb12u1",
+					SeveritySource:   vulnerability.Debian,
 					DataSource: &dbTypes.DataSource{
-						ID:   vulnerability.RootIO,
-						Name: "Root.io Security Patches",
-						URL:  "https://api.root.io/external/patch_feed",
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Debian,
+						Name:   "Root.io Security Patches (debian)",
+						URL:    "https://api.root.io/external/patch_feed",
+					},
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityMedium.String(),
+					},
+				},
+				{
+					PkgName:          "openssl",
+					VulnerabilityID:  "CVE-2025-27587", // Debian only contains this CVE
+					InstalledVersion: "3.0.15-1~deb12u1.root.io.0",
+					FixedVersion:     "3.0.16-1~deb12u1",
+					SeveritySource:   vulnerability.Debian,
+					DataSource: &dbTypes.DataSource{
+						ID:   vulnerability.Debian,
+						Name: "Debian Security Tracker",
+						URL:  "https://salsa.debian.org/security-tracker-team/security-tracker",
+					},
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityLow.String(),
 					},
 				},
 			},
@@ -84,9 +104,10 @@ func TestScanner_Detect(t *testing.T) {
 					InstalledVersion: "1.22.1-9+deb12u2.root.io.0",
 					FixedVersion:     "1.22.1-9+deb12u2.root.io.1",
 					DataSource: &dbTypes.DataSource{
-						ID:   vulnerability.RootIO,
-						Name: "Root.io Security Patches",
-						URL:  "https://api.root.io/external/patch_feed",
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Ubuntu,
+						Name:   "Root.io Security Patches (ubuntu)",
+						URL:    "https://api.root.io/external/patch_feed",
 					},
 				},
 			},
@@ -116,9 +137,10 @@ func TestScanner_Detect(t *testing.T) {
 					InstalledVersion: "643-r00072",
 					FixedVersion:     "643-r10072",
 					DataSource: &dbTypes.DataSource{
-						ID:   vulnerability.RootIO,
-						Name: "Root.io Security Patches",
-						URL:  "https://api.root.io/external/patch_feed",
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Alpine,
+						Name:   "Root.io Security Patches (alpine)",
+						URL:    "https://api.root.io/external/patch_feed",
 					},
 				},
 			},
diff --git a/pkg/detector/ospkg/rootio/testdata/fixtures/data-source.yaml b/pkg/detector/ospkg/rootio/testdata/fixtures/data-source.yaml
@@ -1,17 +1,25 @@
 - bucket: data-source
   pairs:
+    - key: debian 12
+      value:
+        ID: "debian"
+        Name: "Debian Security Tracker"
+        URL: "https://salsa.debian.org/security-tracker-team/security-tracker"
     - key: root.io debian 12
       value:
         ID: "rootio"
-        Name: "Root.io Security Patches"
+        BaseID: "debian"
+        Name: "Root.io Security Patches (debian)"
         URL: "https://api.root.io/external/patch_feed"
     - key: root.io ubuntu 20.04
       value:
         ID: "rootio"
-        Name: "Root.io Security Patches"
+        BaseID: "ubuntu"
+        Name: "Root.io Security Patches (ubuntu)"
         URL: "https://api.root.io/external/patch_feed"
     - key: root.io alpine 3.19
       value:
         ID: "rootio"
-        Name: "Root.io Security Patches"
+        BaseID: "alpine"
+        Name: "Root.io Security Patches (alpine)"
         URL: "https://api.root.io/external/patch_feed"
diff --git a/pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml b/pkg/detector/ospkg/rootio/testdata/fixtures/rootio.yaml
@@ -1,3 +1,21 @@
+- bucket: debian 12
+  pairs:
+    - bucket: openssl
+      pairs:
+        - key: CVE-2024-13176
+          value:
+            VulnerableVersions:
+              - "<3.0.16-1~deb12u1"
+            PatchedVersions:
+              - "3.0.16-1~deb12u1"
+            Severity: 2
+        - key: CVE-2025-27587
+          value:
+            VulnerableVersions:
+              - "<3.0.16-1~deb12u1"
+            PatchedVersions:
+              - "3.0.16-1~deb12u1"
+            Severity: 1
 - bucket: root.io debian 12
   pairs:
     - bucket: openssl
diff --git a/pkg/vulnerability/testdata/fixtures/vulnerability.yaml b/pkg/vulnerability/testdata/fixtures/vulnerability.yaml
@@ -64,6 +64,16 @@
           ghsa: 3
         References:
           - http://example.com
+    - key: CVE-2023-0001
+      value:
+        Title: dos
+        Description: dos vulnerability
+        VendorSeverity:
+          nvd: 1
+          alpine: 2
+          ubuntu: 3
+        References:
+          - http://example.com
     - key: GHSA-0000-aaaa-1111
       value:
         Title: dos
@@ -72,4 +82,4 @@
           nvd: 1
           ghsa: 3
         References:
-          - http://example.com
+          - http://example.com
diff --git a/pkg/vulnerability/vulnerability.go b/pkg/vulnerability/vulnerability.go
@@ -1,6 +1,7 @@
 package vulnerability
 
 import (
+	"cmp"
 	"slices"
 	"strings"
 	"sync"
@@ -91,8 +92,12 @@ func (c Client) FillInfo(vulns []types.DetectedVulnerability, severitySources []
 		// Detect the data source
 		dataSource := lo.FromPtr(vulns[i].DataSource)
 
+		// To determine severity, use BaseID if available, otherwise use ID.
+		// e.g. `debian` severity for root.io advisories.
+		dataSourceID := cmp.Or(dataSource.BaseID, dataSource.ID)
+
 		// Select the severity according to the detected sourceID.
-		severity, severitySource := c.getSeverity(vulnID, &vuln, dataSource, severitySources)
+		severity, severitySource := c.getSeverity(vulnID, &vuln, dataSourceID, severitySources)
 		if severity == dbTypes.SeverityUnknown.String() {
 			noSeverityIDs = append(noSeverityIDs, vulnID)
 		}
@@ -126,10 +131,10 @@ func (c Client) FillInfo(vulns []types.DetectedVulnerability, severitySources []
 	}
 }
 
-func (c Client) getSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSource dbTypes.DataSource, severitySources []dbTypes.SourceID) (string, dbTypes.SourceID) {
+func (c Client) getSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSourceID dbTypes.SourceID, severitySources []dbTypes.SourceID) (string, dbTypes.SourceID) {
 	for _, source := range severitySources {
 		if source == "auto" {
-			return c.autoDetectSeverity(vulnID, vuln, dataSource)
+			return c.autoDetectSeverity(vulnID, vuln, dataSourceID)
 		}
 
 		if severity, ok := vuln.VendorSeverity[source]; ok {
@@ -149,19 +154,19 @@ func (c Client) getSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSour
 //  3. Use the severity from NVD as a fallback.
 //  4. Try severities from other data sources (e.g., Debian severity for Red Hat distributions).
 //  5. If no severity is found from any data source, return "UNKNOWN".
-func (c Client) autoDetectSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSource dbTypes.DataSource) (string, dbTypes.SourceID) {
-	autoSeveritySrcs := []dbTypes.SourceID{dataSource.ID, vulnerability.NVD}
-	if vs, ok := vuln.VendorSeverity[dataSource.ID]; ok {
-		return vs.String(), dataSource.ID
+func (c Client) autoDetectSeverity(vulnID string, vuln *dbTypes.Vulnerability, dataSourceID dbTypes.SourceID) (string, dbTypes.SourceID) {
+	autoSeveritySrcs := []dbTypes.SourceID{dataSourceID, vulnerability.NVD}
+	if vs, ok := vuln.VendorSeverity[dataSourceID]; ok {
+		return vs.String(), dataSourceID
 	}
 
 	// use severity from GitHub for all GHSA-xxx vulnerabilities
 	if strings.HasPrefix(vulnID, "GHSA-") {
 		// use severity from GitHub for all GHSA-IDs
-		autoSeveritySrcs = []dbTypes.SourceID{dataSource.ID, vulnerability.GHSA, vulnerability.NVD}
+		autoSeveritySrcs = []dbTypes.SourceID{dataSourceID, vulnerability.GHSA, vulnerability.NVD}
 	}
 
-	if severity, severitySource := c.getSeverity(vulnID, vuln, dataSource, autoSeveritySrcs); severity != dbTypes.SeverityUnknown.String() {
+	if severity, severitySource := c.getSeverity(vulnID, vuln, dataSourceID, autoSeveritySrcs); severity != dbTypes.SeverityUnknown.String() {
 		return severity, severitySource
 	}
 
diff --git a/pkg/vulnerability/vulnerability_test.go b/pkg/vulnerability/vulnerability_test.go
@@ -371,6 +371,91 @@ func TestClient_FillInfo(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:     "happy path. Use alpine severity for root.io vulnerability",
+			fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
+			vulns: []types.DetectedVulnerability{
+				{
+					VulnerabilityID: "CVE-2023-0001",
+					DataSource: &dbTypes.DataSource{
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Alpine,
+						Name:   "Root.io Security Patches (alpine)",
+						URL:    "https://api.root.io/external/patch_feed",
+					},
+				},
+			},
+			expectedVulnerabilities: []types.DetectedVulnerability{
+				{
+					VulnerabilityID: "CVE-2023-0001",
+					Status:          dbTypes.StatusAffected,
+					SeveritySource:  vulnerability.Alpine,
+					DataSource: &dbTypes.DataSource{
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Alpine,
+						Name:   "Root.io Security Patches (alpine)",
+						URL:    "https://api.root.io/external/patch_feed",
+					},
+					Vulnerability: dbTypes.Vulnerability{
+						Title:       "dos",
+						Description: "dos vulnerability",
+						Severity:    dbTypes.SeverityMedium.String(),
+						References:  []string{"http://example.com"},
+						VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
+							"nvd":    dbTypes.SeverityLow,
+							"alpine": dbTypes.SeverityMedium,
+							"ubuntu": dbTypes.SeverityHigh,
+						},
+					},
+					PrimaryURL: "https://avd.aquasec.com/nvd/cve-2023-0001",
+				},
+			},
+		},
+		{
+			name:     "happy path. Use debian severity for root.io vulnerability",
+			fixtures: []string{"testdata/fixtures/vulnerability.yaml"},
+			vulns: []types.DetectedVulnerability{
+				{
+					VulnerabilityID: "CVE-2023-0001",
+					SeveritySource:  vulnerability.Debian,
+					DataSource: &dbTypes.DataSource{
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Debian,
+						Name:   "Root.io Security Patches (debian)",
+						URL:    "https://api.root.io/external/patch_feed",
+					},
+					Vulnerability: dbTypes.Vulnerability{
+						Severity: dbTypes.SeverityCritical.String(),
+					},
+				},
+			},
+			expectedVulnerabilities: []types.DetectedVulnerability{
+				{
+					VulnerabilityID: "CVE-2023-0001",
+					Status:          dbTypes.StatusAffected,
+					SeveritySource:  vulnerability.Debian,
+					DataSource: &dbTypes.DataSource{
+						ID:     vulnerability.RootIO,
+						BaseID: vulnerability.Debian,
+						Name:   "Root.io Security Patches (debian)",
+						URL:    "https://api.root.io/external/patch_feed",
+					},
+					Vulnerability: dbTypes.Vulnerability{
+						Title:       "dos",
+						Description: "dos vulnerability",
+						Severity:    dbTypes.SeverityCritical.String(),
+						References:  []string{"http://example.com"},
+						VendorSeverity: map[dbTypes.SourceID]dbTypes.Severity{
+							"nvd":    dbTypes.SeverityLow,
+							"alpine": dbTypes.SeverityMedium,
+							"ubuntu": dbTypes.SeverityHigh,
+							"debian": dbTypes.SeverityCritical,
+						},
+					},
+					PrimaryURL: "https://avd.aquasec.com/nvd/cve-2023-0001",
+				},
+			},
+		},
 		{
 			name:     "GetVulnerability returns an error",
 			fixtures: []string{"testdata/fixtures/sad.yaml"},
