bug: cyclonedx vex doesn't filter vulnerabilites with escaped characters in bomRef #6023
Closed
1 of 2 tasks
Labels
kind/bug
Categorizes issue or PR as related to a bug.
Discussed in #6020
Originally posted by ademsayin-essentx January 30, 2024
Description
I want to ignore some vulnerabilities via the --vex option when scanning an sbom with trivy.
Even though the vulnerabilities are defined in the standalone vex file, they are still found by trivy.
I was able to reproduce it with the current ubuntu image.
It looks like when there are special characters (in this case a: +) in the purl or bom-ref, the character gets url-encoded to %2B.
However, the filter for the vex information seems to not like this url-encoded value.
Both vulnerabilities that are not ignored have this %2B in the purl, bom-ref.
Desired Behavior
All vulnerabilities that are defined in vex file are ignored.
Actual Behavior
Not all vulnerabilities are ignored by trivy and are still shown in the table.
Reproduction Steps
Target
SBOM
Scanner
Vulnerability
Output Format
Table
Mode
Standalone
Debug Output
Operating System
Linux Ubuntu
Version
Checklist
trivy image --reset
The text was updated successfully, but these errors were encountered: