Starting today, Amazon Elastic Container Registry (ECR) basic scanning feature will use Common Vulnerability Scoring System (CVSS) version 3 information when determining the severity for new Common Vulnerabilities and Exposures (CVEs). This enables customers to get the most recent severity information for vulnerabilities in their ECR container images. We use CVSS information to determine the severity of a vulnerability when the upstream distribution source does not have this information.
Source:: Amazon AWS