When upgrading to Xray version 3.21.2, with the new CVSS v3.0 scoring, all existing policies and rules will remain the same. Xray will not rescan existing artifacts. Only new artifacts will be scanned and receive the new CVSS v3.0 scoring and severity levels.
If existing resources are updated with new artifacts, images, etc., the new data will be scanned according to the new scoring and severity. When new vulnerabilities are found, with a Critical severity, and an existing Policy rule is set to High severity , the violation will be created with the Critical severity. Existing vulnerabilities will not be impacted, only new vulnerabilities found will be set according to the CVSS v3.0 score.
Update Existing Policies: Existing Policies can be updated to support the new Critical severity level using the Update Policy REST API.