trivy and --ignore-unfixed

[sldblog]

Is this option a good practice to have?

hmpps-circleci-orb/src/jobs/trivy_latest_scan.yml

Line 55 in 1892151

--ignore-unfixed \

My primary worry is that it completely hides the CVEs:

$ trivy image --vuln-type=os --ignore-unfixed --severity=HIGH,CRITICAL quay.io/hmpps/hmpps-delius-interventions-event-listener:2021-11-02.382.391ebb7
2021-11-02T10:02:01.288Z	INFO	Detected OS: debian
2021-11-02T10:02:01.288Z	INFO	Detecting Debian vulnerabilities...

quay.io/hmpps/hmpps-delius-interventions-event-listener:2021-11-02.382.391ebb7 (debian 11.1)
============================================================================================
Total: 0 (HIGH: 0, CRITICAL: 0)

The same command without the --ignore-unfixed:

$ trivy image --vuln-type=os --severity=HIGH,CRITICAL quay.io/hmpps/hmpps-delius-interventions-event-listener:2021-11-02.382.391ebb7
2021-11-02T10:01:13.629Z	INFO	Detected OS: debian
2021-11-02T10:01:13.629Z	INFO	Detecting Debian vulnerabilities...

quay.io/hmpps/hmpps-delius-interventions-event-listener:2021-11-02.382.391ebb7 (debian 11.1)
============================================================================================
Total: 6 (HIGH: 2, CRITICAL: 4)
{snip}

So we have a false sense of no vulnerabilities, while there are actually 4 critical OS ones.

[sldblog]

(We switched to adoptopenjdk/openjdk16:alpine-jre as the final base image and there are no critical ones there, with the added benefit of having half-size images)

[dazoakley]

I guess it's a trade off of noise vs benefit? When this was introduced the first thing (many many) people asked "Is this just going to bombard me with noise about things I just can't fix?".

Hence why --ignore-unfixed was used - if there is a simple fix in the underlying base os or programming language package management system it would be flagged as insecure, otherwise don't produce noise. Not saying it was the best choice, but that's the background behind it.