ignoring the severity when we use ignore-unfixed: false

[kmganna]

I am running the trivy vulnerability scan on the docker image in the git action pipeline.

Below is the code.
- name: Run Trivy vulnerability scanner on a container uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 with: image-ref: '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}' format: 'sarif' severity: 'CRITICAL,HIGH,MEDIUM' output: 'trivy-container-results.sarif' ignore-unfixed: true timeout: ${{ inputs.timeout }}

The above code is working and giving the results based on the severity of the application and it is ignoring unfixed OS fixes(HIGH, MEDIUM and CRITICAL) and LOW fixes as well. Now if I make ignore-unfixed: false then it is giving all the ignored OS fixes along with "LOW severity".

Requirement is:
If I use ignore-unfixed: false and there is a severity CRITICAL, HIGH, and MEDIUM. The output should be application issues and OS issues in the output file based on severity. It should not be LOW and other issues.

Please suggest how to achieve it.

For reference:

The issue has been discussed in the below section
aquasecurity/trivy#1687 (reply in thread)

[knqyf263]

@AndreyLevchenko I feel like it is a critical issue. Could you help fix it?

[kmganna]

@knqyf263 @AndreyLevchenko, any luck on this issue fix?

[simar7]

@AndreyLevchenko worked on a fix which should be in the latest release of the trivy action https://github.com/aquasecurity/trivy-action/releases/tag/0.9.0 , please give it a try. Reopen if issues still persists. Thanks!

[kmganna]

@AndreyLevchenko, thanks, for adding the changes.
The issue has not yet been resolved.

I performed the below tests.

Test 1:
When we performed: In the git actions
Ignored-fixed = false

- name: Run Trivy vulnerability scanner on a container uses aquasecurity/trivy-action@cff3e9a7f62c41dd51975266d0ae235709e39c41 # <====== v0.9.0 - Upgrade Trivy Action version here if: ${{ inputs.scan_container == true }} with: image-ref: '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}' format: 'sarif' severity: 'CRITICAL,HIGH,MEDIUM' # <====== Change "sensitivity" here output: 'trivy-container-results.sarif' ignore-unfixed: false timeout: ${{ inputs.timeout }}

output: Published all severity results: LOW, MEDIUM, HIGH, CRITICAL etc... these results have the issue which are in the screenshot

TEST 2:
When we performed: In the git actions
ignore-fixed: true

- name: Run Trivy vulnerability scanner uses aquasecurity/trivy-action@master with: image-ref: '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}' format: 'sarif' output: 'trivy-results.sarif' severity: 'CRITICAL, HIGH, MEDIUM' ignore-unfixed: true

output: Published the CRITICAL, HIGH, and MEDIUM reports but it has not captured the attached results for the ECR image. AWS captured these results.

The same test I did locally on my mac with the commands. Same results.

trivy image --format sarif --vuln-type os,library --severity CRITICAL,HIGH,MEDIUM --ignore-unfixed --output trivy-container-results.sarif '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}'

trivy image --format sarif --vuln-type os,library --severity CRITICAL,HIGH,MEDIUM --output trivy-container-results.sarif '${{ inputs.registry }}/${{ inputs.repo_name }}:${{ inputs.image_version }}'

Please let me know if you need more information, thank you in advance.

Cc'd @simar7
Regards,
Krishna Mohan

[kmganna]

@simar7 @AndreyLevchenko Could you please provide an update?

[simar7]

I've pinged @AndreyLevchenko to see if he can take another look at it.

[AndreyLevchenko]

@kmganna
The changes introduce new parameter limit-severities-for-sarif to override default sarif behavior. So it should be set to false in order to use severities parameter