Spike: verify that Container Scanning uses CVSS score from NVD

Why are we doing this work

To officially claim that our SCA scanners are compliant with FedRAMP we must confirm that we provide a CVSS score sourced form NIST NVD.

We know that Trivy-DB, our souce of advisories for OS package types, is providing multiple CVSS scores:

• NVD score
• distro vendor specific score

We must ensure we use the NVD score when creating vulnerabilities in the various workflows we support:

• Container Scanning in the CI job
• Continuous Vulnerability Scanning
• Full CS scan on SBOM changes (still in development)
• Operational Container Scanning (TBD if in scope)

If confirmed, then we must:

• ensure we have proper testing to prevent regression to using a different score
• consider updating the user documentation to highlight this. We also have this page dedicated to severity: https://docs.gitlab.com/ee/user/application_security/vulnerabilities/severities.html#container-scanning

Otherwise, we must highlight the work to be done to reach this goal.

Relevant links

Non-functional requirements

• Documentation:
• Feature flag:
• Performance:
• Testing:

Implementation plan

Verification steps