Closed oyri closed 3 months ago
This issue was also present in v0.17.0. Ref.: https://github.com/felleslosninger/github-workflows/pull/53
@oyri thanks for the report.
Now trivy-action uses Trivy 0.50.1. is this issue still relevant?
Thank you, results looks correct with latest version 0.19.0.
After upgrade from 16.1 to 18.0 action started wrongly reporting CVE in our java/spring boot application on a much lower version then our code has. I have also run version 0.49.1 of trivy locally on same image with 0 reported CVS. (trivy image).
I have also unzip and manually scanned for reported old dependency in my code, it does not exist, only newer version without high/critical vulnerabilities.
Is there a problem with trivy version 0.49.0 as your action uses in version 18.0 or is it another issue here?
Example of reported CVE in an older dependency:![image](https://github.com/aquasecurity/trivy-action/assets/8371957/f958c219-9681-4385-ace6-712930810d59)
I am using Spring boot version 3.2.3 which includes newer versions of the above.
Hope you can look at this issue. Please let me know if you need more information. Thanks.