You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It would be helpful to have some additional options available when using the Trivy ignore file.
If you are using Trivy manually, you of course know whether or not you are using an ignore file, and you probably know what's in the ignore file. However, if you are using Trivy in automation, then the person reading the Trivy report might not be the person that set up automation or configured the ignore file, and the person reviewing the report currently has no easy way to know whether an ignore file was used when the report was generated. It is important to know when the ignore file is being used, because you might add a CVE to the ignore file for a component that does not yet have a fix, and then later fail to update the ignore file when a fix becomes available, leaving a CVE in your project when a fix is available. Being able to see in the Trivy report that in ignore file is in use provides an immediate reminder that the ignore file should be periodically reviewed and updated.
Three options are suggested, in order of increasing complexity of implementation:
A) by default, include in the Trivy report an indication that an ignore file was used. Optimally this would include the path and name.
B) add a command line option to include in the Trivy report a list of the CVEs that were excluded by the ignore file. This could be a terse single line (to differentiate from the main body of the report) for each excluded CVE which would ideally include the title of each CVE to enhance recognition, and indicate whether a fix is currently available.
C) add an option in the ignore file to indicate that a CVE should only be ignored until a fix is available - perhaps this would be something like a "iuf" after the CVE identifier indicating that the CVE should only be "Ignored Until Fixed" - this would work similar to how exp: yyyy-mm-dd works currently.
Option C above is similar to --ignore-unfixed, but allows individual CVEs to be ignored (as specified in the ignore file) until fixed, rather than all unfixed CVEs.
kind/featureCategorizes issue or PR as related to a new feature.
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Description
It would be helpful to have some additional options available when using the Trivy ignore file.
If you are using Trivy manually, you of course know whether or not you are using an ignore file, and you probably know what's in the ignore file. However, if you are using Trivy in automation, then the person reading the Trivy report might not be the person that set up automation or configured the ignore file, and the person reviewing the report currently has no easy way to know whether an ignore file was used when the report was generated. It is important to know when the ignore file is being used, because you might add a CVE to the ignore file for a component that does not yet have a fix, and then later fail to update the ignore file when a fix becomes available, leaving a CVE in your project when a fix is available. Being able to see in the Trivy report that in ignore file is in use provides an immediate reminder that the ignore file should be periodically reviewed and updated.
Three options are suggested, in order of increasing complexity of implementation:
A) by default, include in the Trivy report an indication that an ignore file was used. Optimally this would include the path and name.
B) add a command line option to include in the Trivy report a list of the CVEs that were excluded by the ignore file. This could be a terse single line (to differentiate from the main body of the report) for each excluded CVE which would ideally include the title of each CVE to enhance recognition, and indicate whether a fix is currently available.
C) add an option in the ignore file to indicate that a CVE should only be ignored until a fix is available - perhaps this would be something like a "iuf" after the CVE identifier indicating that the CVE should only be "Ignored Until Fixed" - this would work similar to how exp: yyyy-mm-dd works currently.
This is adjacent to issues #4028 and #4023.
Additional comments:
Option C above is similar to --ignore-unfixed, but allows individual CVEs to be ignored (as specified in the ignore file) until fixed, rather than all unfixed CVEs.
Target
None
Scanner
Vulnerability
Beta Was this translation helpful? Give feedback.
All reactions