Add some (optional) warning about unused ignored vulnerabilities

[victornoel]

When working on a software that can have many vulnerabilities ignored (e.g., because of unused os libraries), it can be useful for cleanup to have a way to know which vulnerabilities in the ignore list are actually not applicable :)

It could for example be warnings on the standard output

[itaysk]

if you add the --debug flag, you will see the ignore decision log, along the lines of:

2023-03-25T20:42:31.050+0300    DEBUG   Found an ignore file .trivyignore
2023-03-25T20:42:31.050+0300    DEBUG   These IDs will be ignored: ["CVE-2023-12345"]

does this address your use case?

[victornoel]

Hi @itaysk,

Unfortunately I don't think the debug logs will tell me which of the ignored CVE is actually not needed anymore.

Sometimes I ignore CVEs, then at a later time upgrade some dependency that fixes the CVE, and at the time I would like trivy to tell me "you ignored this cve, but your software is not impacted by it anymore, you can unignore it".

I hope I correctly understood what you were suggesting though, thanks!

[itaysk]

thanks for clarifying. yes Trivy doesn't do this, and there are currently no plans to add something like that

[odysseu]

This would be a nice feature though, anyway we could rethink this ?

[DmitriyLewen]

We added special table to show ignored vulnerabilities - #6084.
These changes will be included into next release.

[knqyf263]

If I understand correctly, this request is the other way around. They want to see unused vulnerabilities listed in .trivyignore. But once we export ignored vulnerabilities in JSON, it helps as they can write a script to compare a list of IDs in .trivyignore and actually ignored vulnerabilities.

[DmitriyLewen]

oh... sorry for misleading.

[3XC1T3D]

yep that way would be nice to have it included in trivy :) but yeah a script to diff the json is also possible