feat(vuln): show suppressed vulnerabilities in table

[knqyf263]

Description

This PR extends the request described in #3464 by not only displaying vulnerabilities ignored via .trivyignore but also those suppressed through Rego policies and declared as not affected by Vulnerability Exploitability eXchange (VEX). Furthermore, it shows the rationale behind suppression defined in .trivyignore.yaml and VEX.

When the --show-suppressed flag is specified, it now displays suppressed vulnerabilities alongside the regular detected vulnerabilities as follows:

$ trivy image --vex debian11.csaf.vex --ignorefile .trivyignore.yaml --show-suppressed debian:11
...

Suppressed Vulnerabilities (Total: 9)
======================================
┌───────────────┬───────────────┬──────────┬──────────────┬─────────────────────────────────────────────┬───────────────────┐
│    Library    │ Vulnerability │ Severity │    Status    │                  Statement                  │      Source       │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ libdb5.3      │ CVE-2019-8457 │ CRITICAL │ not_affected │ vulnerable_code_not_in_execute_path         │ CSAF VEX          │
├───────────────┼───────────────┼──────────┼──────────────┼─────────────────────────────────────────────┼───────────────────┤
│ bsdutils      │ CVE-2022-0563 │ LOW      │ ignored      │ Accept the risk                             │ .trivyignore.yaml │
├───────────────┤               │          │              │                                             │                   │
│ libblkid1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libmount1     │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libsmartcols1 │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ libuuid1      │               │          │              │                                             │                   │
├───────────────┤               │          │              │                                             │                   │
│ mount         │               │          │              │                                             │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ tar           │ CVE-2005-2541 │          │              │ The vulnerable configuration is not enabled │                   │
├───────────────┼───────────────┤          │              ├─────────────────────────────────────────────┤                   │
│ util-linux    │ CVE-2022-0563 │          │              │ Accept the risk                             │                   │
└───────────────┴───────────────┴──────────┴──────────────┴─────────────────────────────────────────────┴───────────────────┘

It's important to note that vulnerabilities filtered out by --severity --ignore-unfixed or --ignore-status will not be displayed with --show-suppressed. To clarify this, we've defined two phases in the filtering process:

• Prioritization
• Suppression

The --show-suppressed flag is specifically designed to reveal vulnerabilities filtered during the Suppression phase.

Caveat

While this extension is applicable beyond vulnerabilities to include misconfigurations, secrets, and licenses, this PR focuses on vulnerabilities due to its size. Future PRs will address other aspects.

Additionally, due to potential changes in internal implementation, the suppressed vulnerabilities are currently only displayed in table format. Support for JSON and other formats is planned once the implementation stabilizes.

Related issues

• Close Include ignored CVEs in report, explicitly marked as ignored #3464

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[knqyf263]

@DmitriyLewen I carefully split changes into commits. You can see the commits one by one.

This PR is still a draft, but it's 95% done. You can start reviewing. I'm looking to add a log message about --show-suppressed when any vulnerabilities are suppressed.

[DmitriyLewen]

@knqyf263
Looks good. I left some small comments. Take a look, please.

[DmitriyLewen]

@knqyf263 I forgot to write you:
can you add test in https://github.com/aquasecurity/trivy/blob/main/pkg/report/table/table_test.go with suppressed table?

[knqyf263]

@DmitriyLewen I missed it. I'll update the test. Thanks!

[knqyf263]

@DmitriyLewen It's ready for review!

[DmitriyLewen]

LGTM 👍