CNVM Severity UNKNOWN Fix (#3885)

### Summary of your changes
Following an SDH:
- elastic/sdh-beats#6815

Investigated the root cause and suspected this PR:
- aquasecurity/trivy#8269

As mentioned in comment:
-
elastic/sdh-beats#6815 (comment)

Suspected the Trivy upgrade.
Introduced code to resolve this problem.

You can see two examples prior and after code changes of scanning an EBS
volume:
```
🐚 Evgbs-MBP:cloudbeat evgb$ cd /Users/evgb/Documents/GitHub/cloudbeat && go build -o ebs-vuln-scanner-old ./cmd/ebs-vuln-scanner/ && ./ebs-vuln-scanner-old --snapshot snap-ID --region us-east-2 --profile csp --verbose
Starting vulnerability scan for EBS snapshot: snap-ID in region: us-east-2
Scanning EBS snapshot (this may take several minutes)...

=== EBS Snapshot Vulnerability Scan Results ===
Snapshot:  snap-ID
Region:    us-east-2
Scan Time: 2026-01-22T14:27:28-06:00
Duration:  19m16.221003125s

Vulnerability Summary:
  CRITICAL: 0
  HIGH:     0
  MEDIUM:   0
  LOW:      0
  UNKNOWN:  44
  ─────────────
  TOTAL:    44
🐚 Evgbs-MBP:cloudbeat evgb$ cd /Users/evgb/Documents/GitHub/cloudbeat && go build -o ebs-vuln-scanner ./cmd/ebs-vuln-scanner/ && ./ebs-vuln-scanner --snapshot snap-ID --region us-east-2 --profile csp --verbose
Starting vulnerability scan for EBS snapshot: snap-ID in region: us-east-2
Scanning EBS snapshot (this may take several minutes)...

=== EBS Snapshot Vulnerability Scan Results ===
Snapshot:  snap-ID
Region:    us-east-2
Scan Time: 2026-01-22T14:52:53-06:00
Duration:  1.080233708s

Vulnerability Summary:
  CRITICAL: 0
  HIGH:     16
  MEDIUM:   24
  LOW:      4
  UNKNOWN:  0
  ─────────────
  TOTAL:    44
```

As you can see prior to changes we get UNKNOWN and after we get the
correct severities.

### Screenshot/Data
<!--
If this PR adds a new feature, please add an example screenshot or data
(findings json for example).
-->


### Related Issues
- Fixes: elastic/kibana#226881
- Fixes: elastic/sdh-beats#6815
- Fixes: #3532

### Checklist
- [ ] I have added tests that prove my fix is effective or that my
feature works
- [ ] I have added the necessary README/documentation (if appropriate)

#### Introducing a new rule?

- [ ] Generate rule metadata using [this
script](https://github.com/elastic/cloudbeat/tree/main/security-policies/dev#generate-rules-metadata)
- [ ] Add relevant unit tests
- [ ] Generate relevant rule templates using [this
script](https://github.com/elastic/cloudbeat/tree/main/security-policies/dev#generate-rule-templates),
and open a PR in
[elastic/packages/cloud_security_posture](https://github.com/elastic/integrations/tree/main/packages/cloud_security_posture)

Author: jeniawhite

internal/vulnerability/events_creator_test.go

@@ -26,11 +26,13 @@ import (
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
 	trivyVul "github.com/aquasecurity/trivy-db/pkg/vulnsrc/vulnerability"
 	"github.com/aquasecurity/trivy/pkg/types"
+	ec2types "github.com/aws/aws-sdk-go-v2/service/ec2/types"
 	"github.com/elastic/beats/v7/libbeat/beat"
 	"github.com/stretchr/testify/mock"
 	"github.com/stretchr/testify/suite"
 
 	"github.com/elastic/cloudbeat/internal/dataprovider"
+	"github.com/elastic/cloudbeat/internal/resources/providers/awslib/ec2"
 	"github.com/elastic/cloudbeat/internal/resources/utils/testhelper"
 )
 
@@ -378,3 +380,140 @@ func generateResults(size int) []Result {
 	}
 	return results
 }
+
+func (s *EventsCreatorTestSuite) TestGenerateEvent_SeverityPreserved() {
+	s.bdp.EXPECT().EnrichEvent(mock.Anything, mock.Anything).Return(nil)
+	s.cdp.EXPECT().EnrichEvent(mock.Anything).Return(nil)
+
+	tests := []struct {
+		name             string
+		inputSeverity    string
+		expectedSeverity string
+	}{
+		{
+			name:             "critical severity is preserved",
+			inputSeverity:    "CRITICAL",
+			expectedSeverity: "CRITICAL",
+		},
+		{
+			name:             "high severity is preserved",
+			inputSeverity:    "HIGH",
+			expectedSeverity: "HIGH",
+		},
+		{
+			name:             "medium severity is preserved",
+			inputSeverity:    "MEDIUM",
+			expectedSeverity: "MEDIUM",
+		},
+		{
+			name:             "low severity is preserved",
+			inputSeverity:    "LOW",
+			expectedSeverity: "LOW",
+		},
+		{
+			name:             "unknown severity is preserved",
+			inputSeverity:    "UNKNOWN",
+			expectedSeverity: "UNKNOWN",
+		},
+		{
+			name:             "empty severity is preserved as empty",
+			inputSeverity:    "",
+			expectedSeverity: "",
+		},
+	}
+
+	for _, tt := range tests {
+		s.Run(tt.name, func() {
+			// Reset mocks for each sub-test
+			s.bdp = &dataprovider.MockCommonDataProvider{}
+			s.cdp = &MockEnricher{}
+			s.bdp.EXPECT().EnrichEvent(mock.Anything, mock.Anything).Return(nil)
+			s.cdp.EXPECT().EnrichEvent(mock.Anything).Return(nil)
+
+			s.creator = EventsCreator{
+				log:                testhelper.NewLogger(s.T()),
+				cloudDataProvider:  s.bdp,
+				commonDataProvider: s.cdp,
+				ch:                 make(chan []beat.Event),
+			}
+
+			vul := types.DetectedVulnerability{
+				VulnerabilityID: "CVE-2024-12345",
+				Vulnerability: dbTypes.Vulnerability{
+					Severity: tt.inputSeverity,
+					CVSS: dbTypes.VendorCVSS{
+						trivyVul.NVD: dbTypes.CVSS{
+							V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
+							V3Score:  9.8,
+						},
+					},
+				},
+			}
+
+			reportResult := types.Result{
+				Target: "/test/path",
+				Class:  types.ClassOSPkg,
+			}
+
+			event := s.creator.generateEvent(reportResult, vul, generateTestInstance(), time.Now())
+
+			vulField, ok := event.Fields["vulnerability"]
+			s.Require().True(ok, "event should have vulnerability field")
+
+			vulData, ok := vulField.(Vulnerability)
+			s.Require().True(ok, "vulnerability field should be of type Vulnerability")
+
+			s.Equal(tt.expectedSeverity, vulData.Severity,
+				"severity should be preserved from Trivy's DetectedVulnerability")
+		})
+	}
+}
+
+func (s *EventsCreatorTestSuite) TestGenerateEvent_SeverityNotUnknownWhenProvided() {
+	s.bdp.EXPECT().EnrichEvent(mock.Anything, mock.Anything).Return(nil)
+	s.cdp.EXPECT().EnrichEvent(mock.Anything).Return(nil)
+
+	vul := types.DetectedVulnerability{
+		VulnerabilityID: "CVE-2024-99999",
+		Vulnerability: dbTypes.Vulnerability{
+			Severity: "HIGH",
+			VendorSeverity: dbTypes.VendorSeverity{
+				trivyVul.RedHat: dbTypes.SeverityHigh,
+				trivyVul.NVD:    dbTypes.SeverityHigh,
+			},
+			CVSS: dbTypes.VendorCVSS{
+				trivyVul.NVD: dbTypes.CVSS{
+					V3Vector: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
+					V3Score:  7.5,
+				},
+			},
+		},
+	}
+
+	reportResult := types.Result{
+		Target: "/test/path",
+		Class:  types.ClassOSPkg,
+	}
+
+	event := s.creator.generateEvent(reportResult, vul, generateTestInstance(), time.Now())
+
+	vulField, ok := event.Fields["vulnerability"]
+	s.Require().True(ok)
+
+	vulData, ok := vulField.(Vulnerability)
+	s.Require().True(ok)
+
+	s.NotEqual("UNKNOWN", vulData.Severity,
+		"severity should not be UNKNOWN when Trivy provides a valid severity - "+
+			"this may indicate VulnSeveritySources is not configured in scanner.go")
+	s.Equal("HIGH", vulData.Severity)
+}
+
+func generateTestInstance() ec2.Ec2Instance {
+	instanceID := "i-1234567890abcdef0"
+	return ec2.Ec2Instance{
+		Instance: ec2types.Instance{
+			InstanceId: &instanceID,
+		},
+	}
+}

internal/vulnerability/scanner.go

@@ -145,6 +145,9 @@ func (f VulnerabilityScanner) scan(ctx context.Context, snap ec2.EBSSnapshot) {
 			Format:     "json",
 			Severities: []db_types.Severity{0, 1, 2, 3, 4},
 		},
+		VulnerabilityOptions: flag.VulnerabilityOptions{
+			VulnSeveritySources: []db_types.SourceID{"auto"},
+		},
 	}
 	now := time.Now()
 	report, err := f.runner.ScanVM(ctx, opts)

internal/vulnerability/scanner_test.go

@@ -22,6 +22,7 @@ import (
 	"testing"
 	"time"
 
+	db_types "github.com/aquasecurity/trivy-db/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	"github.com/stretchr/testify/assert"
@@ -100,3 +101,19 @@ func TestVulnerabilityScanner_TearDown(t *testing.T) {
 	// Go defers are implemented as a LIFO stack. This should be the last one to run.
 	goleak.VerifyNone(t, goleak.IgnoreCurrent())
 }
+
+func TestScanOptions_VulnSeveritySourcesConfigured(t *testing.T) {
+	expectedSeveritySources := []db_types.SourceID{"auto"}
+
+	opts := flag.Options{
+		VulnerabilityOptions: flag.VulnerabilityOptions{
+			VulnSeveritySources: []db_types.SourceID{"auto"},
+		},
+	}
+
+	require.NotEmpty(t, opts.VulnerabilityOptions.VulnSeveritySources,
+		"VulnSeveritySources must be configured, otherwise Trivy returns UNKNOWN for all severities")
+
+	assert.Equal(t, expectedSeveritySources, opts.VulnerabilityOptions.VulnSeveritySources,
+		"VulnSeveritySources should be set to 'auto' to enable automatic severity detection")
+}