Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve output when CVEs are set to "Ignore" or "Mitigated" #1752

Closed
terriko opened this issue Jul 6, 2022 · 3 comments
Closed

Improve output when CVEs are set to "Ignore" or "Mitigated" #1752

terriko opened this issue Jul 6, 2022 · 3 comments
Labels
enhancement New feature or request
Milestone
3.2

Comments

@terriko
Copy link
Contributor

terriko commented Jul 6, 2022
edited
Loading

Right now, we report the number of CVEs found even if our triage then says we want to ignore them. This probably isn't what we want. We should instead report

  1. the number of CVEs found minus any that are ignored or mitigated
  2. a count of CVEs that are ignored or mitigated (so these are known and can be re-evaluated if needed)
@terriko terriko added the enhancement New feature or request label Jul 6, 2022
@terriko terriko added this to the future milestone Jul 6, 2022
@terriko
Copy link
Contributor Author

terriko commented Jul 6, 2022

@terriko terriko mentioned this issue Jul 6, 2022
Closed
@terriko terriko changed the title Change output when CVEs are set to "Ignore" Improve output when CVEs are set to "Ignore" or "Mitigated" Jul 6, 2022
@terriko
Copy link
Contributor Author

terriko commented Jul 6, 2022

Realized we probably don't want to report "mitigated" issues either, changed title and comment to reflect that.

@terriko terriko modified the milestones: future, 3.2 Sep 28, 2022
@anthonyharrison
Copy link
Contributor

There are also instances where the reported numbers don't seem to be adding up. I tried this when disabling a data source which seems to introduce a few issues.

There are 29 CVEs identified by cve_scanner but the summary only shows 27 CVEs - this is becuase there are CVEs with UNKNOWN severity which are not included in the summary.

It states that there are 7 files but there are 8 files shown. This is becuase a product was being added if there ARE CVEs but if all the CVEs are from a disabled data source, the products was still being included.

image

johnandersen777 pushed a commit to johnandersen777/cve-bin-tool that referenced this issue Nov 23, 2022
@anthonyharrison @pdxjohnny
fix: Improve output for Mitigated and Ignored CVEs (Fixes intel#1752) (
1b13887 
…intel#2373)

* Fixes intel#1752
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
3.2
Development

No branches or pull requests
2 participants
@terriko @anthonyharrison