trivy-action icon indicating copy to clipboard operation
trivy-action copied to clipboard
verified publisher icon aquasecurity

Reports CVE not existing i code

Open oyri opened this issue 2 years ago • 2 comments

After upgrade from 16.1 to 18.0 action started wrongly reporting CVE in our java/spring boot application on a much lower version then our code has. I have also run version 0.49.1 of trivy locally on same image with 0 reported CVS. (trivy image ). I have also unzip and manually scanned for reported old dependency in my code, it does not exist, only newer version without high/critical vulnerabilities.

Is there a problem with trivy version 0.49.0 as your action uses in version 18.0 or is it another issue here?

Example of reported CVE in an older dependency: image

I am using Spring boot version 3.2.3 which includes newer versions of the above.

Hope you can look at this issue. Please let me know if you need more information. Thanks.

oyri avatar Mar 14 '24 10:03 oyri

This issue was also present in v0.17.0. Ref.: https://github.com/felleslosninger/github-workflows/pull/53

sindrej avatar Mar 14 '24 14:03 sindrej

@oyri thanks for the report.

Now trivy-action uses Trivy 0.50.1. is this issue still relevant?

afdesk avatar Mar 29 '24 18:03 afdesk

Thank you, results looks correct with latest version 0.19.0.

oyri avatar Apr 02 '24 08:04 oyri