It's not necessarily CVE-ID.

Vendor is unclear. We may want to show the source (dbTypes.SourceID).

I thought about this, but there is 1 problem with this.
We fill severity filed in trivy-db:
https://github.com/aquasecurity/trivy-db/blob/b8fe1376ffcdc69fe454f0a8a481ab485e47aea5/pkg/vulnsrc/vulnerability/vulnerability.go#L92-L108

Therefore, we don't have info about vendor for this severity.

We can only check vendorSeverity and detect vendor with same severity.
But if 2 vendors use this severity, we may make mistake in our choice

I mean, we should say "Debian and NVD don't have severity" when scanning a Debian image and "Ubuntu and NVD don't have severity" when scanning an Ubuntu image. We need to consider what should be displayed with language-specific packages, though.

I understand you now.
We can use dataSource.Name (see :

It also works for language-specific packages

Don't we need sync.Once to prevent from showing the same messages many times?

I think we should show each vulnerability with non-vendor (non-nvd) severity.
It will be difficult (and possibly manual) for user to detect vulnerabilities with inappropriate severity levels if we simply say that some vulnerabilities use different severity levels.

As another way, we can save all these vulnerabilities and insert this list into one warning.
wdyt?

But if there are 100 vulnerabilities, we possibly show 100 warn messages, right?

right. but I hope we don't get 100 vulnerabilities

I don't think 100 vulns are so many. I saw environments with 500 vulns or even more than 1000 vulns.

Okay, let's use once. We can always update this - if users require it.

Update in b23527d

After reading the message, I feel like it's still unclear for users. We may want to update the document and add a link in the warning message, like "For details, read https://aquasecurity.github.io/trivy/latest/docs/scanner/vulnerability/#severity-selection." What do you think?

I have a couple of ideas that we can add. I will update docs and write to you.

ec412a3
wdyt?