Failing to catch license failures #215
Description
Describe the bug
The Trivy task v2 does not catch license failures
The license setting is missing from this file trivy-task/trivyV2/utils.ts
if (data && data.Results) {
for (const result of data.Results) {
if (result.Vulnerabilities) {
for (const vulnerability of result.Vulnerabilities) {
const severity = vulnerability.Severity;
const index = severityLevels.indexOf(severity);
if (index > highestIndex) {
highestIndex = index;
}
}
}
if (result.Misconfigurations) {
for (const misconfiguration of result.Misconfigurations) {
const severity = misconfiguration.Severity;
const index = severityLevels.indexOf(severity);
if (index > highestIndex) {
highestIndex = index;
}
}
}
if (result.Secrets) {
for (const secret of result.Secrets) {
const severity = secret.Severity;
const index = severityLevels.indexOf(severity);
if (index > highestIndex) {
highestIndex = index;
}
}
}
}
}Agent details
- Type: Hosted Agent
- OS: Ubuntu 24.04.3 LTS
- Version: 4.266.2
Task Version
2.7.96
Task Inputs
displayName: Security Scan with Trivy
steps:
- task: trivy@2
inputs:
version: "latest"
options: "--license-full"
type: "filesystem"
target: $(Build.SourcesDirectory)
scanners: "license, misconfig, secret, vuln"
severities: "UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL"
failOnSeverityThreshold: "MEDIUM"
publish: trueError message
There is no error message. The issue is that the task does not catch the error.
##[debug]Fail on severity threshold: HIGH
##[debug]Highest severity found: (index: -1)
##[debug]Severity threshold: HIGH (index: 3)
##[debug]Highest severity breached: false