Report is not empty even if there are no findings

[DmitriyLewen]

Discussed in #6349

^{Originally posted by kanton10062006 March 19, 2024}

Description

Hello,

With the most recent release, I've noticed that trivy report/output is not empty even if there are no findings when some particular findings are in place in .trivyignore.yaml.
The previous version did not have such behavior as expected.
Our CI/CD relies on this report, if something exists within the report CI proceeds with different logic.

It reproduces for vuln and license scanners.

Desired Behavior

Completely empty report:

./trivy --version
2024-03-19T15:10:56.700+0100	INFO	Loaded trivy.yaml
Version: 0.49.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

./trivy fs -q --scanners vuln .
2024-03-19T15:11:01.736+0100	INFO	Loaded trivy.yaml

Actual Behavior

Here is an example of the actual output:

trivy --version
2024-03-19T15:09:27.820+0100	INFO	Loaded trivy.yaml
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

trivy fs -q --scanners vuln .
2024-03-19T15:09:30.501+0100	INFO	Loaded trivy.yaml

package-lock.json (npm)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

Reproduction Steps

1.Install latest(v0.50.0) trivy version 
2.Scan some package.json with findings
3.Add those findings to the .trivyignore.yaml
4.Scan it one more time
5.Observe non-empty report
6.Reapeat previous steps with the earlier trivy version(v0.49.0 for example)
7.Observe empty report

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

trivy fs -q --scanners vuln . --debug                 
2024-03-19T15:17:07.236+0100	INFO	Loaded trivy.yaml

package-lock.json (npm)

Total: 0 (MEDIUM: 0, HIGH: 0, CRITICAL: 0)

### Operating System

macOS Sonoma

### Version

```bash
trivy --version
2024-03-19T15:18:15.019+0100	INFO	Loaded trivy.yaml
Version: 0.50.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-03-19 12:11:32.850008953 +0000 UTC
  NextUpdate: 2024-03-19 18:11:32.850008412 +0000 UTC
  DownloadedAt: 2024-03-19 13:37:47.401184 +0000 UTC
Policy Bundle:
  Digest: sha256:cdff1bc8c97e4f5cd04782b057c00f5ea8cd81147a506ac4be76bef13710f2d3
  DownloadedAt: 2024-03-14 12:20:41.064572 +0000 UTC

### Checklist

- [ ] Run `trivy image --reset`
- [ ] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)</div>

[AntonKarasov]

Hey @DmitriyLewen,
Do you have any plans to merge the PR related to this issue?
As I can see the major 0.51.0 version has been released recently but without this fix, unfortunately...
Thanks and looking forward to your reply.

[DmitriyLewen]

Hello @AntonKarasov
We merged #6352.

These changes should be included into next release.

Regards, Dmitriy