Dependency Track shows different severities than Trivy server when called directly #4103

larsriehn · 2024-08-30T07:49:10Z

larsriehn
Aug 30, 2024

We have set up the Trivy server as an analyzer in Dependency Track.
I realized that the severities shown in Dependency Track differ from the ones I receive when I call the Trivy server directly (trivy sbom --server http://trivy.tools.systems:4954 --scanners vuln sbom.json)
Especially the CVEs for libc6. CVE-2019-1010022 is shown as CRITICAL while a direct call results in LOW. And there are more. See the screenshot (nearly all CVEs in there result from the trivy analyzer). Dependency track version is v4.11.7
Can anyone explain this behaviour?

larsriehn · 2025-04-02T09:18:24Z

larsriehn
Apr 2, 2025
Author

Anyone?

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Dependency Track shows different severities than Trivy server when called directly #4103

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Dependency Track shows different severities than Trivy server when called directly #4103

Uh oh!

larsriehn Aug 30, 2024

Replies: 1 comment

Uh oh!

larsriehn Apr 2, 2025 Author

larsriehn
Aug 30, 2024

larsriehn
Apr 2, 2025
Author