USER PROBLEM
^{What is the user experiencing as a result of the bug? Include steps to reproduce.}

• Scanner is not returning Severities for some CVEs

• Original issue discussed in Slack was why CVE counts were mismatched: https://redhat-internal.slack.com/archives/C01R0E7CVMX/p1744201692891379 
• Example from Staging: https://staging.demo.stackrox.com/main/vulnerabilities/user-workloads/images/sha256:52478f8cd6a142fd462f0a7614a7bb064e969a4c083648235d6943c786df8cc7?vulnerabilityState=OBSERVED&detailsTab=Vulnerabilities 
• Screenshot of different image from customer:

• [rh-ee-dvail 's analysis from Slack thread on customer case] "This is an issue because the counts you are seeing in the card are retrieved from an API that breaks down image vulnerability counts first by severity (critical, important, moderate, low), and then by fixability (fixable, not fixable). The count above the table is a separate API listing all vulnerabilities that impact the current image, but this also includes vulnerabilities with an “unknown” severity. The former API does not include counts for “unknown” severity, which causes the mismatch."
• This only happens for images where Scanner has not determined Severity for some CVEs

CONDITIONS
^{What conditions need to exist for a user to be affected? Is it everyone? Is it only those with a specific integration? Is it specific to someone with particular database content? etc.}

• dcaravel 's summary of how severities are determined (from the Slack thread above):
  "We might have to look at a few specific CVEs, quick scan over the code and the answer may depend on the CVE and the feed we get it from. In some cases we take the vendors severity, in other cases its derived from the CVSS score - one example of a scenario where can be unknown is if there is an error parsing the CVSS vector from the raw data."

ROOT CAUSE
^{What is the root cause of the bug?}

• tbd

FIX
^{How was the bug fixed (this is more important if a workaround was implemented rather than an actual fix)?}

• pending