Configuring Grype to use only NVD as a source

I was wondering if there was a way to configure Grype to pull from just the NVD as a source. I used in my yaml file:

  GNU nano 7.2                                                                 /home/rco/.grype.yaml                                                                           
# grype configuration file

vulnerability:
  provider:
    priority:
      - nvd
      - github
      - osv
    unmarshalers:
      nvd:
        enabled: true
      github:
        enabled: true
      osv:
        enabled: true
      anchore:
        enabled: true
      redhat:
        enabled: true
  id-matcher:
    preferred-id-prefixes:
      - cve
      - ghsa
      - osv

match:
  java:
    using-cpes: true
  python:
    using-cpes: true
  javascript:
    using-cpes: true
  ruby:
    using-cpes: true
  dotnet:
    using-cpes: true
  golang:
    using-cpes: true
  php:
    using-cpes: true
  stock:
    using-cpes: true

When it pulls the vulnerabilities, I get a response below in my results:

ws 7.4.6 7.5.10 npm GHSA-3h5v-q93c-6h6q High

When you go to the GITHUB for this GHSA, it links it to CVE-2024-37890, which states: This vulnerability is currently awaiting analysis.

I was wondering instead of returning the GHSA that if there was a way to have it return the CVE instead of the GHSA, or even include the GHSA as a supplemental ID instead of the primary for this vulnerability?

Any help would be greatly appreciated.

Hi @Emiliano_Martinez! Thanks for the question.

Does --by-cve do what you need?

--by-cve orients the output around the CVE ID of each match, as opposed to the default which uses the ID of the source we used for the match, for example GHSA. This affects the display ID, but it doesn’t affect the matching criteria, so it might not be what you’re looking for.

While you’re here, can you help me understand why you want to prefer NVD data over other data sources? The data at ws affected by a DoS when handling a request with many HTTP headers · CVE-2024-37890 · GitHub Advisory Database · GitHub has been review by GitHub, even if NVD hasn’t gotten around to reviewing this vulnerability yet. “awaiting analysis” just means that NVD haven’t review it yet, not that they think it’s unimportant or invalid.

We’ve generally found that, because CPE is a bit of a lossy format (for example, it doesn’t encode package type), NVD matching criteria are actually much worse than GHSA’s for package ecosystems that GHSA supports. Does your experience differ? Is there a reason you have to prefer NVD data?

I don’t believe right now there’s a config switch to completely turn off all datasources besides NVD. The using-cpes: true blocks in your config above trun on NVD CPE matching, but they don’t turn off other sorts of matching.

The reason why is I am trying to track the vulnerabilities to the NVD due to some of the GHSA that I have seen was marked under a different category compared to NIST, and I am trying to align the vulnerabilities to the NIST categorization based on the vulnerability. For example GHSA-gjcw-v447-2w7q:

Forgeable Public/Private Tokens in jws

Is tied to CVE-2016-1000223 which is reserved by an organization and doesnt have a score listed on NVD.

There are some other examples of where the GHSA would have them at a different severity to NVD and vice versa.

You can achieve this by building your own Grype database and limiting the providers to just NVD. The workflow to get there isn’t documented well, but it can be done and works reliably.