Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis.
When analyzing the vulnerabilities for open source operating systems packages, Xray fetches data regarding the severity of the vulnerability from two sources:
NVD: The National Vulnerability Database which contains known vulnerabilities each with their CVSS score. For more information on CVSS scoring in Xray, see CVSS Scoring in Xray.
Security Advisory: Some open source operating systems have their own security trackers with further analysis of the vulnerability inside the operating system package.
In the case where the Operating System Security Advisory contains data about the vulnerability in a package, Xray will compute the severity of the vulnerability based on this data instead of the CVSS score of the vulnerability.
The reason for that, is that the Security Advisory team of the Operating System had done further analysis to come to a more precise conclusion regarding the priority/urgency/severity of the vulnerability inside the operating system package.
To help you understand how Xray maps the information from each, we have outlined each operating system’s severity/priority and how it is presented in Xray.
Take note, that if a vulnerability's severity is unknown in the security advisory, the CVSS score will be calculated from the NVD.
You can see the severity levels for the following Operating System Packages: