Replies: 2 comments 5 replies
-
|
Sorry for the ping @knqyf263, but this might be a bad bug. |
Beta Was this translation helpful? Give feedback.
-
|
Or I'm doing something really wrong 😬 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks. We'll take a look next week. |
Beta Was this translation helpful? Give feedback.
-
|
@DmitriyLewen I have less capacity this week. Can you please take a look? |
Beta Was this translation helpful? Give feedback.
-
|
@macedogm thanks for your report! I will work on this today. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks Dmitriy and Teppei for the quick solution. |
Beta Was this translation helpful? Give feedback.
-
|
Created #8102 |
Beta Was this translation helpful? Give feedback.
-
Description
Apparently the PR #7985 broke the identification and suppression of false-positives with VEX.
When using a VEX report of any type in Trivy v0.57.1, the identified false-positives are properly suppressed. After updating to Trivy v0.58.0, I noticed that the false-positives are no longer being identified. I tested with VEX reports from https://github.com/rancher/vexhub/ and they work in v0.57.1, but not in v0.58.0.
I was able to pinpoint the faulty change to #7985 and https://github.com/aquasecurity/trivy/blob/v0.58.0/pkg/sbom/io/encode.go, but I wasn't able yet to find the exact logic that is broken.
Desired Behavior
False-positives from VEX reports should be suppressed.
Actual Behavior
False-positives from VEX reports are not being identified and neither suppressed.
Reproduction Steps
Target
Container Image
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
OpenSUSE Slowroll
Version
Checklist
trivy clean --allBeta Was this translation helpful? Give feedback.
All reactions