-
New Feature
-
Resolution: Unresolved
-
Major
-
None
NeuVector standalone scanner reports all known vulnerabilities in a target image. These could be issues with high and/or medium severity. The plugin provides options to fail the build if the amount if vulnerabilities exceeds certain threshold. This works well.
However, each of the finding has property "fixed_version". If this value is non-empty it means that NeuVector is aware of the existing fix. When there is no known fix it usually means that the corresponding CVE is too recent and little can be done to avoid it in the image.
In practice, when even the most recent images are scanned, there could be high severity issues without known fixes. It would be great to have an option to avoid counting vulnerabilities with "fixed_version" parameter being empty. In such mode builds can still pass the pipeline if nothing can be done about the findings.