sindrej
commented
3 months ago This issue was also present in v0.17.0. Ref.: https://github.com/felleslosninger/github-workflows/pull/53
Closed oyri closed 3 months ago
sindrej
commented
3 months ago This issue was also present in v0.17.0. Ref.: https://github.com/felleslosninger/github-workflows/pull/53
afdesk
commented
3 months ago @oyri thanks for the report.
Now trivy-action uses Trivy 0.50.1. is this issue still relevant?
oyri
commented
3 months ago Thank you, results looks correct with latest version 0.19.0.
After upgrade from 16.1 to 18.0 action started wrongly reporting CVE in our java/spring boot application on a much lower version then our code has. I have also run version 0.49.1 of trivy locally on same image with 0 reported CVS. (trivy image).
I have also unzip and manually scanned for reported old dependency in my code, it does not exist, only newer version without high/critical vulnerabilities.
Is there a problem with trivy version 0.49.0 as your action uses in version 18.0 or is it another issue here?
Example of reported CVE in an older dependency:
I am using Spring boot version 3.2.3 which includes newer versions of the above.
Hope you can look at this issue. Please let me know if you need more information. Thanks.