Trivy fails on revoked CVE

[limolitz]

Description

Trivy finds the CVE-2021-23334 in the static-eval JavaScript package and fails because of that. This CVE has been revoked, so it should not influence the exit code of trivy.

What did you expect to happen?

The revoked CVE is not shown and trivy exits with the exit code 0.

What happened instead?

The CVE is displayed and the exit code is 1.

Output of run with -debug:

# trivy --exit-code 1 --debug --severity HIGH,CRITICAL <IMAGENAME>:latest
2021-05-21T14:34:43.739Z        DEBUG   Severities: HIGH,CRITICAL
2021-05-21T14:34:43.739Z        WARN    You should avoid using the :latest tag as it is cached. You need to specify '--clear-cache' option when :latest image is changed
2021-05-21T14:34:43.751Z        DEBUG   cache dir:  /root/.cache/trivy
2021-05-21T14:34:43.751Z        DEBUG   There is no valid metadata file: unable to open a file: open /root/.cache/trivy/db/metadata.json: no such file or directory
2021-05-21T14:34:43.751Z        INFO    Need to update DB
2021-05-21T14:34:43.751Z        INFO    Downloading DB...
2021-05-21T14:34:43.751Z        DEBUG   no metadata file
2021-05-21T14:34:43.923Z        DEBUG   release name: v1-2021052112
2021-05-21T14:34:43.923Z        DEBUG   asset name: trivy-light-offline.db.tgz
2021-05-21T14:34:43.923Z        DEBUG   file name doesn't match
2021-05-21T14:34:43.923Z        DEBUG   asset name: trivy-light.db.gz
2021-05-21T14:34:43.923Z        DEBUG   file name doesn't match
2021-05-21T14:34:43.923Z        DEBUG   asset name: trivy-offline.db.tgz
2021-05-21T14:34:43.923Z        DEBUG   file name doesn't match
2021-05-21T14:34:43.923Z        DEBUG   asset name: trivy.db.gz
2021-05-21T14:34:43.953Z        DEBUG   asset URL: https://github-releases.githubusercontent.com/216830441/55c1f000-ba2d-11eb-9f53-134a4f47a800?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20210521%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20210521T143248Z&X-Amz-Expires=300&X-Amz-Signature=88c2c384c4c3e8e4ec1db8bbb02c57dbcc29288adc3b08e94df22ac9cfa0cdfc&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=216830441&response-content-disposition=attachment%3B%20filename%3Dtrivy.db.gz&response-content-type=application%2Foctet-stream
21.42 MiB / 21.42 MiB [---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 27.77 MiB p/s 1s
2021-05-21T14:34:44.949Z        DEBUG   Updating database metadata...
2021-05-21T14:34:44.949Z        DEBUG   DB Schema: 1, Type: 1, UpdatedAt: 2021-05-21 12:05:58.944391619 +0000 UTC, NextUpdate: 2021-05-22 00:05:58.944391319 +0000 UTC, DownloadedAt: 2021-05-21 14:34:44.949250651 +0000 UTC
2021-05-21T14:34:44.966Z        DEBUG   Vulnerability type:  [os library]
2021-05-21T14:35:13.602Z        DEBUG   Artifact ID: sha256:a66ae40d7a5a0ad0ab1dfcfc6dd483708b62e0634bf00254859a22c36fe03a67
2021-05-21T14:35:13.602Z        DEBUG   Blob IDs: [sha256:030309cad0ba82b098939419dcb5e0a95c77d2427d99c44a690ecab59f80a487 sha256:1e77dd81f9fa12f3034fa1ed55bc2d1f7a316b450ae53f36beb52af2dd83b78f sha256:6f15325cc380f8fc8fa0cdffc5cc7e38c5beb155e09ab3e0edbb1e5a842c46cc sha256:a7f01eaedfe8b945d9b29ef3b3512c0753db560923a0b6283653e14c027a1372 sha256:6f35b518ad715376dcb5d7d3cb99d8c0282bc101d3d497e98d4501050599b1a5 sha256:df7e5e4a6e9235e3b7e89968fd385e46feabe512eedeba304427cc07fbab7f25 sha256:3e2575b7382874f5db31074e7cb15b9926c40ba1c4b9a15ee7bc6a140e0b2384 sha256:181bdf125dc620b33b5ee920cd1641c08406322903ed2a7859df9b4cf8762f63 sha256:712f5e62ac6ab7060746c79a1212583142bf7ab1670edbc4e101b17881af5d0a sha256:5925d55d1c6479716265b780f1db658a0e5f0a58e5423afd6817e86a6aad0684 sha256:fe2f059a8d0d8cea6de8b5c14872a6f8cbd4e37613da80fad02edaa525b387ef sha256:ada3ee9df9c5aca3d27956fd9db4b3c7479ebf1d3b5aaa17fe90b17dd79bb01e sha256:ada3ee9df9c5aca3d27956fd9db4b3c7479ebf1d3b5aaa17fe90b17dd79bb01e sha256:45838e3d7f18f62f2f177d4bc15dc11c15091525f039771e5cb91bc871bba8c9 sha256:49f9d891a04b65f342cd7e70edb2a288149b36442713e371fb67bf76e54c0f1c sha256:d25eff55e494ac6b79e71550e1a71d5c81b64ce0d4ee4633e9a8a0143b6d38b6 sha256:fc077891fa3a5b058acb3b3fe60cf5f85d15cd8451e31c04d51a07c22a0365a7 sha256:32c4ac4ac714f980dbf14576d0dda9ae5b7578683f7770066a10131319097336 sha256:6541dc87fd7d18e02e74d71827ee7fc3417919b3e54c2f458411e03590f3e574 sha256:b774ab172a714f827017db7132f6cb8af48a4866ff801a654b91435d58e75012 sha256:c735ce11fe61f271fa6f644fa37b40f08ec526ed8ea42e0e89e2622b5ee1d7ae sha256:b4329ac84f7357917da77e0329caad483829d8f22ec4241e14e4fbb315059fde sha256:8b49985bfb1b8f7874e17e72f0437f664c9e9f982fe14b771946852948f99dea sha256:ebc0d9be4403c88307a656fd489e0c20bada830a1e9ed323ebb9aeaae2562d7c sha256:5d2ef56d6fe14e62e5a67794ff5e3e90875d9a88f495bd3f98b94275d0319a56 sha256:25637a2670fa00926006e414b848d03f0fcc5ab86839739027c9c7530044a443 sha256:5758d92838c649886cea5464a6fcd4600bd817574f22bdad135beda91867bbf3 sha256:7dce67f481490aebfd72fc14524cbed20fa8cc386881fdae7f1ac3ded62a4c27 sha256:2de632c0e61dad5668354e7b0edf42590ab2e3aa79476370a20182d183ee3962 sha256:4fc15929a53f40ced5b9d2b1a7a70b747a1490e37c3b02b2e359fdd522a0841b sha256:1e9e54587f447e5ca4cac934ae8941f562d726bc3a6c83fdc926321a12b9ee45 sha256:9efaa4e11377723ee997bf1ddf3050ed5d873fc1dd031458a5e840288005ba5f sha256:b48c0a51d8fee499f9532cf6ae4b8f457b13a83ef29a25f6ea32efdeba0720e2]
2021-05-21T14:35:13.606Z        INFO    Detecting Ubuntu vulnerabilities...
2021-05-21T14:35:13.607Z        DEBUG   ubuntu: os version: 18.04
2021-05-21T14:35:13.607Z        DEBUG   ubuntu: the number of packages: 232
2021-05-21T14:35:13.622Z        DEBUG   Detecting library vulnerabilities, path: var/django/package-lock.json
2021-05-21T14:35:13.622Z        INFO    Detecting  vulnerabilities...

IMAGENAME:latest (ubuntu 18.04)
========================================
Total: 0 (HIGH: 0, CRITICAL: 0)


var/django/package-lock.json
============================
Total: 1 (HIGH: 0, CRITICAL: 1)

+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
|   LIBRARY   | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+
| static-eval | CVE-2021-23334   | CRITICAL | 2.1.0             |               | Withdrawn: Arbitrary Code             |
|             |                  |          |                   |               | Execution in static-eval              |
|             |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2021-23334 |
+-------------+------------------+----------+-------------------+---------------+---------------------------------------+

Output of trivy -v:

$ trivy --version
Version: 0.16.0

Additional details (base image name, container registry info...):

[knqyf263]

How did you know it's been revoked? I didn't find it.
https://nvd.nist.gov/vuln/detail/CVE-2021-23334

[limolitz]

There is some discussion here. I assumed that because the title says withdrawn, it was already withdrawn, but it seems like the MITRE database isn't updated yet.

[github-actions]

This issue is stale because it has been labeled with inactivity.