File tree Expand file tree Collapse file tree 1 file changed +21
-0
lines changed
content/manuals/scout/deep-dive Expand file tree Collapse file tree 1 file changed +21
-0
lines changed Original file line number Diff line number Diff line change @@ -58,6 +58,27 @@ your SBOM is cross-referenced with the CVE information to detect how it affects
5858
5959For more details on how image analysis works, see the [ image analysis page] ( /manuals/scout/explore/analysis.md ) .
6060
61+ ## Severity and scoring priority
62+
63+ Docker Scout uses two main principles when determining severity and scoring for
64+ CVEs:
65+
66+ - Source priority
67+ - CVSS version preference
68+
69+ For source priority, Docker Scout follows this order:
70+
71+ 1 . Vendor advisories: Scout always uses the severity and scoring data from the
72+ source that matches the package and version. For example, Debian data for
73+ Debian packages.
74+
75+ 2 . NIST scoring data: If the vendor doesn't provide scoring data for a CVE,
76+ Scout falls back to NIST scoring data.
77+
78+ For CVSS version preference, once Scout has selected a source, it prefers CVSS
79+ v4 over v3 when both are available, as v4 is the more modern and precise scoring
80+ model.
81+
6182## Vulnerability matching
6283
6384Traditional tools often rely on broad [ Common Product Enumeration (CPE)] ( https://en.wikipedia.org/wiki/Common_Platform_Enumeration ) matching,
You can’t perform that action at this time.
0 commit comments