Using skip_cve_package parameter with CVE-2023-46298 returns a failure

[anastasialanz]

When testing out the functionality of the skip_cve_package parameter, I set it to CVE-2023-46298 to ignore this issue in the next.js package. After running the Checkov GitHub action, the PR still fails. Is there something else I would need to do to not have it fail if this package can't be updated immediately?

Example checkov.yml GitHub Action

- name: Run Prisma Cloud
        id: prisma-cloud
        uses: bridgecrewio/checkov-action@v12
        with:
          api-key: ***
          output_format: cli
          framework: github_actions,sca_package
          skip_cve_package: CVE-2023-46298

CLI output:

_               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  
                                      
By Prisma Cloud | version: 3.2.2 
Update available 3.2.2 -> 3.2.3
Run pip3 install -U checkov to update 


sca_package scan results:

Failed checks: 1, Skipped checks: 371

	/package.json - CVEs Summary:
	┌──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┐
	│ Total CVEs: 1        │ critical: 0          │ high: 0              │ medium: 0            │ low: 1               │ skipped: 0           │ Total Packages Used: │
	│                      │                      │                      │                      │                      │                      │ 0                    │
	├──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┤
	│ To fix 0/1 CVEs, go to https://www.bridgecrew.cloud/                                                                                                           │
	├──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┤
	│ Package [Lines]      │ CVE ID               │ Severity             │ Current version      │ Root fixed version   │ Compliant version    │ Reachability         │
	├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┤
	│ next [71-71]         │ CVE-2023-46298       │ LOW                  │ 12.3.4               │ N/A                  │ N/A                  │                      │
	└──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘

[Saarett]

Hi @anastasialanz , as a paying customer of Prisma Cloud, you may reach out to your Customer Success representative so they can assist you 🙂

[tsmithv11]

@anastasialanz thanks for reaching out! The flag you're using is for "package" level skipping, e.g., skip_cve_package: next. To skip the CVE, you need to use: skip_check: CKV_CVE_2023_46298 as documented here: https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html

I hope that helps!