Fix severity handling for images with no vulnerabilities #31
Conversation
Signed-off-by: Malka123456 <malka988276@gmail.com>
Malka123456
force-pushed
the
bugfix/no-severity-unknown
branch
from
b9865ec to
282a63d
Compare
|
Hi @Vad1mo , I would really appreciate any suggestions for improvement, and I’m happy to make further changes based on your feedback. Thank you for your time and review! |
I don't think it's right. unknown normally means it has vuln but the severity is unknown. Let me double check the spec and talk to other maintainers. |
|
You’re right — I was thinking the same. Currently, harbor-scanner-trivy does not support the Negligible severity, even though it exists in the pluggable-scanner-spec. The issue also suggested returning Negligible instead of "" when no severity is found. In my opinion, it would make sense to add support for Negligible in harbor-scanner-trivy for consistency with the spec. What do you think about aligning it this way? |
|
@Malka123456 I think "Negligible" is also a severity level, and putting it at the artifact/image level means there ARE CVEs, but the highest severity is "Negligible". May I know what the problem would be if the image has severity as "" if there's no CVE at all? |
|
@reasonerjt , Thanks for clarifying. The concern with using an empty string ("") is that it’s not a valid enum value in the goharbor/pluggable-scanner-spec#20 . That’s why returning "" could cause inconsistencies or issues when clients strictly validate against the spec. In this case, using Negligible (which is already defined in the spec) would be more consistent and spec-compliant. |
Fixes issue #20 from the Pluggable Scanner Spec.
Sets severity to "unknown" for images with no vulnerabilities.
Fixes a logging error in cmd/scanner-trivy.
Updates ensure consistent scanner report output and API compliance.