pre-commit hook returns failed after adding the findings to .trivyignore

[MichaelMorozovCodit]

Finding returns the following:

trivyfs-docker...........................................................Failed
- hook id: trivyfs-docker
- exit code: 1
- files were modified by this hook

2024-03-25T12:27:20.991Z        INFO    Vulnerability scanning is enabled
2024-03-25T12:27:20.991Z        INFO    Secret scanning is enabled
2024-03-25T12:27:20.991Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-25T12:27:20.991Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-25T12:27:21.617Z        INFO    Number of language-specific files: 1
2024-03-25T12:27:21.617Z        INFO    Detecting nuget vulnerabilities...

src/Codito.Esb.B2b.Order.Import/integrationtests/packages.config (nuget)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ Microsoft.Rest.ClientRuntime │ CVE-2022-26907 │ MEDIUM   │ fixed  │ 2.3.19            │ 2.3.24        │ Azure SDK for .NET Information Disclosure Vulnerability. │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-26907               │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ Newtonsoft.Json              │ CVE-2024-21907 │ HIGH     │        │ 10.0.3            │ 13.0.1        │ Improper Handling of Exceptional Conditions in           │
│                              │                │          │        │                   │               │ Newtonsoft.Json                                          │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21907               │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

To ignore these findings I add these to the .trivyignore:

CVE-2024-21907
CVE-2022-26907

Executing git add -A and then git commit -m "message" returns a failed test but no findings:

trivyfs-docker...........................................................Failed
- hook id: trivyfs-docker
- files were modified by this hook

2024-03-25T12:29:51.737Z        INFO    Vulnerability scanning is enabled
2024-03-25T12:29:51.737Z        INFO    Secret scanning is enabled
2024-03-25T12:29:51.737Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-25T12:29:51.737Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-25T12:29:52.417Z        INFO    Number of language-specific files: 1
2024-03-25T12:29:52.417Z        INFO    Detecting nuget vulnerabilities...

Adding the detected vulnerabilities should return a Passed test.

pre-commit-config looks like this for pre-commit-trivy

-   repo: https://github.com/mxab/pre-commit-trivy
    rev: v0.11.0
    hooks:
    -   id: trivyfs-docker
        args:
        -   --skip-dirs
        -   ./tests
        -   ./

Running on Windows 11.

[mxab]

In the second run does it just fail or does it also print out the vulnerabilities and you just omitted them?

Does it work if you run directly run trivy fs --skip-dirs ./tests . ?

[MichaelMorozovCodit]

It just fails, no report. The output above is the exact output I receive in the terminal of my IDE, so no, no report. Before I tried this hook, I was running trivy as a custom script I inserted in the pre-commit file of the .git folder, and I worked as expected.

[mxab]

ok, there is also the other message: - files were modified by this hook . Is the pre-commit hook maybe "failing" because of a modified file? not sure which one this could be but the error message would hint to something like that

[MichaelMorozovCodit]

Well that's the thing, idk if your hook automatically edits files? If yes, the issue must lie there. If not, I wouldn't know where this message would come from. As I said, running a custom trivy script in the pre-commit file gives no problems. This script looks like this:

if ! command -v trivy >/dev/null 2>&1; then
    echo "trivy not installed, run trivy_install.ps1 or install trivy manually and add to path."
else
    echo "Running trivy scan..."
    trivy repo ./
fi

[mxab]

the only file that would "change" is the `.pre-commit-trivy-cache´ do you see this modified after the failed run? I would assume that this is in the gitignore part and should therefore be ignored?