We would like to inform you about upcoming changes to how we provide security data and evaluate the severity of container vulnerabilities.
CentOS Linux and CentOS Stream Updates:
As part of a continual effort to improve our container security data, we are changing how we provide information regarding CentOS Linux 6, 7 & 8 and CentOS Stream 8 vulnerabilities. Prior to these changes, we only provided information about CentOS through Red Hat Security Advisories (RHSA), which are collections of fixed CVEs. We are moving from presenting issues via RHSA, and instead will present them based on the individual CVEs, both fixed and unfixed.
The following are some of the key features of this change:
- Enhanced accuracy: By showing individual CVEs instead of an RHSA, which may cover more than one CVE, you will have more details about each vulnerability that Snyk detects.
- Broader coverage: We will now show both fixed and unfixed CVEs, whereas the RHSA only shows fixed CVEs.
- Enriched metadata: Showing individual CVEs allows us to provide enriched vulnerability metadata on these CVEs, like Exploit Maturity, Social Trends and more.
- Red Hat’s security analysis: We will provide the severity of the issues as defined by the Red Hat Security Team, in addition to the severity determined by NVD, as part of the Relative Importance feature.
Important note: The number of issues will increase significantly as a result of the change, so you might see a change in the number of issues in the reports.
Red Hat CVSS score for Red Hat Enterprise Linux (RHEL) and CentOS:
For vulnerabilities that the Red Hat security team has evaluated and assigned a CVSS score, we are moving to use Red Hat's score as the default score we will present (when available) as it better reflects how a vulnerability affects their products.
Important note: There may be some changes to existing vulnerabilities in your projects, such as moving CVSS score from 5.6 to 8.8.
Debian, Alpine, and Ubuntu Severity Updates:
We improved the way we evaluate risk for Debian, Alpine and Ubuntu vulnerabilities, by creating a smarter logic for combining the Linux source severity data and NVD severity data. In this on-going process to enhance accuracy, we are updating the severity of selected vulnerabilities.
Important note: This means that there may be some changes to existing vulnerabilities in your projects, such as moving from Low severity to High severity.
The rollout of the aforementioned changes will start on December 15th. Once the new data will be available, the old data will not be available.
After the change, retesting of the project is required (either a manual test or scheduled scanning for monitored projects).