Closed snooyen closed 1 month ago
Hello, we are confirming receipt of your ticket. We will begin triaging the issue, and will report back when we have pertinent updates.
@snooyen currently the GitHub Action summary report only supports vulnerability severity values provided by National Vulnerability Database (NVD). As you stated, vulnerability severity for other providers is not displayed. We are are planning on supporting severity values from other providers in the near future.
This issue will likely be idle/on hold through this week, but I will report back when we start the work, and I will offer an ETA when we have confidence in the solution.
Thank you for your continued patience.
@snooyen Quick update, work has started for on-boarding vulnerability severity values from providers in addition to NVD. We do not have a firm ETA now; however, we will provide one when we are confident in the solution. Thank you for your continued patience.
@snooyen Minor update: we've finished testing and reviewing our initial solution. During our review, we identified some edge cases that require additional code changes before we can make this fix available to customers. We are currently working on those changes, after which point, we should have an ETA as to when this issue will be resolved. We thank you for your continued patience and understanding as we work on resolving your issue.
@snooyen We have deployed a new version of this action to resolve your issue. We have verified that severity values for discontinued OS's are properly reported, among other enhancements. You can see an example of these changes here: https://github.com/aws-actions/vulnerability-scan-github-action-for-amazon-inspector/actions/runs/10161985201
Please update your workflows to use this release to resolve this issue:
- name: Vulnerability Scan GitHub Action for Amazon Inspector
uses: aws-actions/vulnerability-scan-github-action-for-amazon-inspector@v1.1.3
Thank you once again for raising this issue. This helps improve the action for all users, for which we are grateful.
I am marking this issue as resolved. Please feel free to reach out to us again if you have follow-on questions or concerns.
Description
Our CI/CD pipeline is configured to block if any
critical
vulnerabilities are detected in the container. The GHA Job Summary for one of our containers reported a critical vulnerability, but this vulnerability was not clearly represented in the table.Expected Behavior
Expect the Summary markdown to not be missing data in
Severity
column.Actual Behavior
In the below Summary generated by the action, the vulnerability with
id: IN-DISCONTINUED-001
is acritical
vulnerability but its severity is not reflected properly in the summary even though it is traceable in the vulnerability scan JSONSteps to Reproduce
See JSON snippet pasted in
Other Information
Other Information
Scan JSON Snippet: