Using --show-suppressed flag does not work for json format

[dus7eh]

Description

Experimental --show-suppressed flag works well in table format but not in json.

Desired Behavior

--show-supressed flag is respected when using json output format

Actual Behavior

Suppressed CVE is not visible in json report.
Still I know they it is detected since:

• it is stated explicitly in logs that the issue is ignored
• when ignorefile is removed from the CLI args it shows in the report

Reproduction Steps

1. Run image vuln scan with show-suppressed flag and json format
2. Verify output json report to find out that the suppressed CVEs are missing from report

Target

Container Image

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Debug Output

Important part:


2024-04-10T10:44:43.631Z        DEBUG   Detecting library vulnerabilities, type: jar, path: 
2024-04-10T10:44:43.636Z        DEBUG   Found an ignore yaml: trivyignore-merged.yml
2024-04-10T10:44:43.636Z        DEBUG   Ignored {"id": "CVE-2016-1000027", "path": "Java"} 

### Operating System

Linux

### Version

```bash
Version: 0.50.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-10 06:10:52.361857072 +0000 UTC
  NextUpdate: 2024-04-10 12:10:52.361856681 +0000 UTC
  DownloadedAt: 2024-04-10 08:06:30.184226953 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-04-10 00:48:15.050950896 +0000 UTC
  NextUpdate: 2024-04-13 00:48:15.050950736 +0000 UTC
  DownloadedAt: 2024-04-10 08:46:06.923034012 +0000 UTC

Checklist

• Run trivy image --reset
• Read the troubleshooting

[knqyf263]

It seems like we forgot to add it to the document. I'll update it.

trivy/pkg/types/report.go

Lines 116 to 119 in 183eaaf

	// ModifiedFindings holds a list of findings that have been modified from their original state.
	// This can include vulnerabilities that have been marked as ignored, not affected, or have had
	// their severity adjusted. It is currently available only in the table format.
	ModifiedFindings []ModifiedFinding `json:"-"`

[knqyf263]

#6494

[bpfoster]

Would you consider adding the suppressed vulnerabilities to the JSON? I could use this information. It would also be helpful to include the impact_statement from a VEX file (required when status = not_affected).

[knqyf263]

Since it's still an experimental feature, we don't want to encourage users to use the field in JSON, as it makes it difficult to change the field schema in the future. Do you think ExperimentalModifiedFindings or something like that is okay?

[bpfoster]

Ok, that is fair. ExperimentalModifiedFindings would work for me if you are willing to do that.

I have been able to get what I need by using the output of --list-all-pkgs and correlating to the VEX data, but if included it would simplify things.

If/when this feature graduates from experimental status, I do think it would be beneficial to differentiate between vulnerabilities that are absolutely not applicable, and vulnerabilities that, by standard measures appear to be applicable, but have been determined by a secondary tool to not apply.

[knqyf263]

Created #7382