Output the vulnerabilities that are ignored

[ajinkya599]

At the moment, Trivy doesn't list the vulnerabilities that got ignored because of being present in .trivyignore. It is useful information for someone reviewing/auditing an image to know which vulnerabilities are present but ignored.

[knqyf263]

How do you want to see those vulnerabilities? Can we just display them as a log message or need to output them in the JSON result?

[ajinkya599]

@knqyf263 We are building some tooling around Trivy. So we want the vulnerabilities in the JSON result.

[jeff-cook]

Knowing what was ignored in the JSON would be ideal.

The best option would be to show all entries in the ignore file, and which of them were also found in the image.

Having that would allow us to know if something was ignored and found, and if there is something that may not need to be ignored anymore. (ie it was fixed in the base image and no longer needs to be ignored.)

[knqyf263]

@simar7 @lizrice Any thought?

[lizrice]

I'm not convinced with the idea of simply including "ignored" results in the main list of vulnerabilities, even if they were marked somehow as "ignore". I'd guess there is a workaround of running trivy twice, once without the ignore file, and comparing the results?

The best option would be to show all entries in the ignore file, and which of them were also found in the image.

I can see the value in this - so in addition to a list of vulnerabilities, there would be an option to output a separate list of ignore file entries and indicate whether they were found or not.

[anraghun]

@lizrice Is this feature being added to your backlog? If so, is there an ETA you could share with us? If not, could you propose any alternatives? Thanks.

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[keithmarlow]

@lizrice Is this feature being added to your backlog? If so, is there an ETA you could share with us? If not, could you propose any alternatives? Thanks.

Ignoring a known vuln should produce a 'paper trial' in the reports to allow auditing, as per ISO27001. it demonstrates that a vulnerability was accepted and marked as ignored. Later on that vulnerability may disappear due to an update, then the vulnerability can be updated in the audit materials as resolved. Without any paper trial this becomes hard to enact as it will silently disappear.

Something else to consider is allowing 'marking down' of a specific vulnerability, so rather than ignore the severity is rerated.

[rethab]

Since #1378 was merged, can this issue be closed?

[pludov]

Since #1378 was merged, can this issue be closed?

1378 logs the content of the trivyignore file, the requests here is more about knowing which of these vulnerabilities that are still relevant

[knqyf263]

We're discussing it in https://github.com/aquasecurity/trivy/issues/3464