Suppressed CVEs shown even without --show-suppressed

[mgzenitech]

What happened:

.grype.yaml

---
ignore:
  vulnerability: CVE-2018-20225
...

When running grype ${docker_image} -f negligible I get suppressed items in the list.

NAME  INSTALLED  FIXED-IN  TYPE    VULNERABILITY   SEVERITY          
pip   23.1.2               python  CVE-2018-20225  High (suppressed) 

What you expected to happen:

Message is output that shows no CVEs detected.

How to reproduce it (as minimally and precisely as possible):

Run any Python image with pip preinstalled image from Docker hub.

Anything else we need to know?:

Environment:

• Output of grype version:

Application:          grype
Version:              0.61.1
Syft Version:         v0.79.0
BuildDate:            2023-04-21T17:11:07Z
GitCommit:            3caabc87114a3e0cbfbac7770989bc81e2f5a957
GitDescription:       v0.61.1
Platform:             linux/amd64
GoVersion:            go1.19.8
Compiler:             gc
Supported DB Schema:  5

• OS (e.g: cat /etc/os-release or similar):

[tgerla]

Hi @mgzenitech, I've been able to reproduce this using:

grype -o table python

...with the appropriate CVE set to be ignored in my configuration file. I think there is probably a bug in the --show-suppressed logic. We will add this to our backlog for further investigation and hopefully a fix. Thanks for the report!

[tgerla]

Related to: #1053