Support passing CVEs to ignore directly in command

[abelsromero]

I see there's an option to ignore CVEs by id creating .trivyignore file or passing path to one. But I wonder why not allow passing CVE in terminal directly.
Having to create a file is not flexible (requiring exta unnecessary steps), especially when automating or in CI.

[abelsromero]

There's been no answer from enyone and is consled by "stale". Can anyone point ot alternatives, or design options, or how to proceed with long standing issues? It seems the only option is to open a new issue which I don't consider a well manered method.

[abelsromero]

Thanks for re-opening, does that mean there's some interest?

[varas]

This is required when running several scans in parallel having different exclusion policies.

[afdesk]

This is required when running several scans in parallel having different exclusion policies.

@knqyf263 it's an interesting use case, right?

[knqyf263]

This is required when running several scans in parallel having different exclusion policies.

But Trivy depends on BoltDB that doesn't allow multiple processes to open the same database at the same time.
https://github.com/boltdb/bolt

Do you still run several scans in parallel?

[afdesk]

@knqyf263 i thought that @varas scans different images with the same .trivyignore.

if so I have an idea.
@varas you can use different trivyignore files:

$ trivy image --ignorefile ignore-alpine alpine:latest
...
$ trivy image --ignorefile ignore-nginx nginx:latest

[varas]

Didn't know about the ignorefile flag, thanks!!

Although it's kind of clumsy to manage files in CI when exclusion policies come via services.

[ShubhamPalriwala]

Hey, are we still planning to implement this with something like a --ignore-cve argument?

[christianmaierger]

@afdesk

quick question, if I may ask I guess you will be able to help, I want to use a trivyignore file but it seems not that easy as I thought.
So, when you have a file executing:

$ trivy image --ignorefile ignore-alpine alpine:latest

It is not just enough to upload a file named ignore-alpine to the same folder the file/script is run from, or also one could make a file in the script called ignore-alpine.

But neither seems to work. How have you done it?

[afdesk]

@christianmaierger sorry, i missed your quick question. and i don't understand it.
--ignorefile specifies .trivyignore file, that allows to skip vulnerabilities by IDs.
read more here: By Vulnerability IDs

[christianmaierger]

@christianmaierger sorry, i missed your quick question. and i don't understand it. --ignorefile specifies .trivyignore file, that allows to skip vulnerabilities by IDs. read more here: By Vulnerability IDs

The issue is solved, no worries. I just thought the Problem would be trivy not using my ignore file, but the problem was with the ADV IDs, maybe you remember from the other threat

[afdesk]

The issue is solved, no worries. I just thought the Problem would be trivy not using my ignore file, but the problem was with the ADV IDs, maybe you remember from the other threat

oh, yes. sure.

[knqyf263]

For visibility #2711