CVSS 4.0 scoring missing

[javierfreire]

Description

Although CVSS 4.0 is theoretically supported since #7968, the report doesn't include the CVSS 4.0 scoring.

Desired Behavior

I expect that the json report will include the CVSS 4.0 scoring.

Actual Behavior

Scanning pkg:npm/path-to-regexp@0.1.10 Trivy reports the CVE-2024-52798 without any CVSS 4.0 information.

Reproduction Steps

1. Using the spdx.json file

{
  "spdxVersion": "SPDX-2.3",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "Test",
  "packages": [
    {
      "name": "path-to-regexp",
      "SPDXID": "SPDXRef-Package-4677bd488ed2dd2",
      "versionInfo": "0.1.10",
      "supplier": "NOASSERTION",
      "downloadLocation": "NONE",
      "filesAnalyzed": false,
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:npm/path-to-regexp@0.1.10"
        }
      ],
      "primaryPackagePurpose": "LIBRARY"
    }
  ],
  "relationships": [
    {
      "spdxElementId": "SPDXRef-DOCUMENT",
      "relatedSpdxElement": "SPDXRef-Package-4677bd488ed2dd2",
      "relationshipType": "DESCRIBES"
    }
  ]
}


2. Execute
```bash
trivy sbom spdx.json --format json

3. The result reports CVE-2024-52798 and it doesn't include any CVSS 4.0 scoring but the CVSS 4.0 scoring is declared in https://nvd.nist.gov/vuln/detail/CVE-2024-52798
   ...

### Target

SBOM

### Scanner

Vulnerability

### Output Format

JSON

### Mode

None

### Debug Output

```bash
$ trivy sbom spdx.json --format json --debug
2024-12-17T15:33:10+01:00	DEBUG	No plugins loaded
2024-12-17T15:33:10+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-12-17T15:33:10+01:00	DEBUG	Cache dir	dir="/home/fjavier/.cache/trivy"
2024-12-17T15:33:10+01:00	DEBUG	Cache dir	dir="/home/fjavier/.cache/trivy"
2024-12-17T15:33:10+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-12-17T15:33:10+01:00	DEBUG	Ignore statuses	statuses=[]
2024-12-17T15:33:10+01:00	DEBUG	DB update was skipped because the local DB is the latest
2024-12-17T15:33:10+01:00	DEBUG	DB info	schema=2 updated_at=2024-12-17T06:16:04.798697378Z next_update=2024-12-18T06:16:04.798697017Z downloaded_at=2024-12-17T10:46:05.210908447Z
2024-12-17T15:33:10+01:00	DEBUG	[pkg] Package types	types=[os library]
2024-12-17T15:33:10+01:00	DEBUG	[pkg] Package relationships	relationships=[unknown root workspace direct indirect]
2024-12-17T15:33:10+01:00	INFO	[vuln] Vulnerability scanning is enabled
2024-12-17T15:33:10+01:00	DEBUG	Enabling misconfiguration scanners	scanners=[]
2024-12-17T15:33:10+01:00	DEBUG	Initializing scan cache...	type="memory"
2024-12-17T15:33:10+01:00	INFO	Detected SBOM format	format="spdx-json"
2024-12-17T15:33:10+01:00	DEBUG	OS is not detected.
2024-12-17T15:33:10+01:00	DEBUG	Detected OS: unknown
2024-12-17T15:33:10+01:00	INFO	Number of language-specific files	num=1
2024-12-17T15:33:10+01:00	INFO	[node-pkg] Detecting vulnerabilities...
2024-12-17T15:33:10+01:00	DEBUG	[node-pkg] Scanning packages for vulnerabilities	file_path=""
2024-12-17T15:33:10+01:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2024-12-17T15:33:10+01:00	DEBUG	[vex] VEX filtering is disabled

Operating System

Ubuntu

Version

$ trivy --version
Version: 0.58.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-12-17 06:16:04.798697378 +0000 UTC
  NextUpdate: 2024-12-18 06:16:04.798697017 +0000 UTC
  DownloadedAt: 2024-12-17 10:46:05.210908447 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-12-10 02:50:36.32311274 +0000 UTC
  NextUpdate: 2024-12-13 02:50:36.32311262 +0000 UTC
  DownloadedAt: 2024-12-10 15:34:29.029606518 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[DmitriyLewen]

Hello @javierfreire

Trivy shows only CVSS for NVD source - #7059 (comment)
CVE-2024-52798 doesn't have NVD CVSS 4.0:

Regards, Dmitriy

[javierfreire]

Got it. Thank you.