scout: add advisory prioritization (#23275)

craig-osterhout · web-flow · commit ec7b172b6774 · 2025-08-26T11:56:26.000-07:00
## Description Added Scout's priority order on which advisory source is used when assigning severities. https://deploy-preview-23275--docsdocker.netlify.app/scout/deep-dive/advisory-db-sources/#severity-and-scoring-priority ## Related issues or tickets DHI-644 ## Reviews   - [ ] Technical review - [ ] Editorial review - [ ] Product review Signed-off-by: Craig <craig.osterhout@docker.com>
diff --git a/content/manuals/scout/deep-dive/advisory-db-sources.md b/content/manuals/scout/deep-dive/advisory-db-sources.md
@@ -58,6 +58,27 @@ your SBOM is cross-referenced with the CVE information to detect how it affects
 
 For more details on how image analysis works, see the [image analysis page](/manuals/scout/explore/analysis.md).
 
+## Severity and scoring priority
+
+Docker Scout uses two main principles when determining severity and scoring for
+CVEs:
+
+   - Source priority
+   - CVSS version preference
+
+For source priority, Docker Scout follows this order:
+
+  1. Vendor advisories: Scout always uses the severity and scoring data from the
+     source that matches the package and version. For example, Debian data for
+     Debian packages.
+
+  2. NIST scoring data: If the vendor doesn't provide scoring data for a CVE,
+     Scout falls back to NIST scoring data.
+
+For CVSS version preference, once Scout has selected a source, it prefers CVSS
+v4 over v3 when both are available, as v4 is the more modern and precise scoring
+model.
+
 ## Vulnerability matching
 
 Traditional tools often rely on broad [Common Product Enumeration (CPE)](https://en.wikipedia.org/wiki/Common_Platform_Enumeration) matching,
