Unable to ignore OS packages by name

[rungitringit]

Question

Hello,
I'm trying to use trivy to create vulnerability reports on user-owned Ubuntu 22.04 Desktops run in AWS. I need to reduce detections to those the users can act on, so this means old kernel packages should be ignored. The kernel packages are AWS-specific.

I have attempted a variety of formats, including a .trivyignore file containing 3 different package name formats and a CVE:

pkg:deb/ubuntu/[email protected]~22.04.1?arch=all&distro=ubuntu-22.04
linux-aws-6.2-headers-6.2.0-1013
linux-headers-6.2.0-1013-aws
CVE-2023-42752

...however only the CVE listed is correctly skipped. It is not viable for me to know the CVEs to skip in advance, but I can determine package names, even creating the PURL format (in the first line) if needed.

Debug output from trivy only mentions:
DEBUG Found an ignore file file_path="/root/.trivyignore"
and that it is ignoring the CVE. There is no mention of the 3 different package naming formats.

I am running trivy as root against the local OS:

trivy \
  rootfs \
  --format json \
  --output rootfs.json \
  --scanners vuln \
  --severity HIGH,CRITICAL \
  --ignorefile ~/.trivyignore \
  --ignore-unfixed \
  --debug \
  --skip-dirs "$SKIP_DIRS" \
  /

where $SKIP_DIRS is only /volumes/user.

Target

Filesystem

Scanner

Vulnerability

Output Format

JSON

Mode

Standalone

Operating System

Ubuntu 22.04 on AWS

Version

$ trivy --version
Version: 0.67.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2025-09-16 18:30:59.391902472 +0000 UTC
  NextUpdate: 2025-09-17 18:30:59.391902232 +0000 UTC
  DownloadedAt: 2025-10-28 02:24:15.347489884 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2025-10-27 00:57:29.402495495 +0000 UTC
  NextUpdate: 2025-10-30 00:57:29.402495325 +0000 UTC
  DownloadedAt: 2025-10-27 06:14:57.959812322 +0000 UTC


# Note that the databases are downloaded using a pull-through cache, but this shouldn't affect the ignore configuration

[DmitriyLewen]

Hello @rungitringit
Thanks for your interest to Trivy.

ignore file and VEX files require CVE number to filter vulnerability.
But if i remember correctly you can write rego policy to filter vulns by package name - https://trivy.dev/latest/docs/configuration/filtering/#by-rego

Regards, Dmitriy

[rungitringit]

Thank you @DmitriyLewen

I think this will work!

I've spent hours trying to solve this problem, yet it would be common to anyone scanning an OS or VM. Trivy really should include logic or an option to ignore old kernels which are not in use, such as is discussed here: #3764 (comment)

Anyway for reference, here's a copy of my trivy-ignore.rego created from script as of today:

package trivy

ignore_pkgs := {
    "linux-aws-6.2-headers-6.2.0-1013",
    "linux-aws-6.2-headers-6.2.0-1014",
    "linux-aws-6.2-image-6.2.0-1013",
    "linux-aws-6.2-image-6.2.0-1014",
    "linux-aws-6.2-modules-6.2.0-1013",
    "linux-aws-6.2-modules-6.2.0-1014",
    "linux-aws-6.2-modules-extra-6.2.0-1013",
    "linux-aws-6.2-modules-extra-6.2.0-1014",
    "linux-aws-6.8-headers-6.8.0-1039",
    "linux-aws-6.8-image-6.8.0-1021",
    "linux-aws-6.8-image-6.8.0-1024",
    "linux-aws-6.8-image-6.8.0-1027",
    "linux-aws-6.8-image-6.8.0-1028",
    "linux-aws-6.8-image-6.8.0-1029",
    "linux-aws-6.8-image-6.8.0-1030",
    "linux-aws-6.8-image-6.8.0-1031",
    "linux-aws-6.8-image-6.8.0-1032",
    "linux-aws-6.8-image-6.8.0-1033",
    "linux-aws-6.8-image-6.8.0-1035",
    "linux-aws-6.8-image-6.8.0-1036",
    "linux-aws-6.8-image-6.8.0-1039",
    "linux-aws-6.8-modules-6.8.0-1021",
    "linux-aws-6.8-modules-6.8.0-1024",
    "linux-aws-6.8-modules-6.8.0-1027",
    "linux-aws-6.8-modules-6.8.0-1028",
    "linux-aws-6.8-modules-6.8.0-1029",
    "linux-aws-6.8-modules-6.8.0-1030",
    "linux-aws-6.8-modules-6.8.0-1031",
    "linux-aws-6.8-modules-6.8.0-1032",
    "linux-aws-6.8-modules-6.8.0-1033",
    "linux-aws-6.8-modules-6.8.0-1035",
    "linux-aws-6.8-modules-6.8.0-1036",
    "linux-aws-6.8-modules-6.8.0-1039",
    "linux-aws-6.8-modules-extra-6.8.0-1021",
    "linux-aws-6.8-modules-extra-6.8.0-1024",
    "linux-aws-6.8-modules-extra-6.8.0-1027",
    "linux-aws-6.8-modules-extra-6.8.0-1028",
    "linux-aws-6.8-modules-extra-6.8.0-1029",
    "linux-aws-6.8-modules-extra-6.8.0-1030",
    "linux-aws-6.8-modules-extra-6.8.0-1031",
    "linux-aws-6.8-modules-extra-6.8.0-1032",
    "linux-aws-6.8-modules-extra-6.8.0-1033",
    "linux-aws-6.8-modules-extra-6.8.0-1035",
    "linux-aws-6.8-modules-extra-6.8.0-1036",
    "linux-aws-6.8-modules-extra-6.8.0-1039"
}

ignore {
        input.PkgName == ignore_pkgs[_]
}

[rungitringit]

Unfortunately this doesn't seem to work(*). I still have vulnerabilities associated with packages matching those package names (using trivy packaging naming standard).

Could you please give me a hint about where this might be going wrong?

I'm producing JSON output from Trivy then using another project to convert it to HTML (to produce a richer HTML than is available with the Trivy HTML template).

* It might be partly working?! I'm still getting vulns for the linux-headers-6.2.0-1013-aws package and now I'm wondering if I've mucked up renaming the packages in to the format trivy uses...

[rungitringit]

No matter what format I use, I can't get this logic to work. Trivy is picking up vulnerabilities which should be ignored.

[rungitringit]

If I use both package name formats then it seems to work, but that's really ugly.
I'm missing something about the way PkgName is formatted.

[rungitringit]

Thank you for your help @DmitriyLewen

I offered to share the vulnerability section, which is the vast majority of the file. I could share the whole thing if it is required, but should I just attach at zip of the 24 MiB json here?

I am seeing inconsistent results with the filter despite using content copied from a trivy example.
The filter seems to work when there are a small number of packages in it, but as soon as I add all 44 I need it doesn't work.

[rungitringit]

Please find the entire JSON output from a vulnerability scan here

I am new to this rego filter language but I suspect that I am missing something basic.

[rungitringit]

This rego policy works.

Part of the problem is that some packages I need to exclude use the original OS package name, while others are have their package names mangled by Trivy. By using linux-aws here (the last helper rule) I cater for both:

package trivy

import rego.v1

default ignore := false

# Define the active kernel version.
active_kernel_version := "6.8.0-1040"

# Helper rules: Check if the package is a kernel package
is_kernel_pkg if {
	startswith(input.PkgName, "linux-image-")
}

is_kernel_pkg if {
	startswith(input.PkgName, "linux-modules-")
}

is_kernel_pkg if {
	startswith(input.PkgName, "linux-headers-")
}

is_kernel_pkg if {
	startswith(input.PkgName, "linux-tools-")
}

is_kernel_pkg if {
	startswith(input.PkgName, "linux-aws-")
}

# Ignore rule

ignore if {
	# 1. Is it a kernel package?
	is_kernel_pkg

	# 2. Is it NOT the active kernel?
	not contains(input.PkgName, active_kernel_version)
}

[DmitriyLewen]

use the original OS package name, while others are have their package names mangled by Trivy

Could you please explain this in more detail?

Trivy has two fields:
• Package name — this is the name you use when installing a package (for example, via apt).
• Package source — for example, for linux-modules-6.2.0-1018-aws, the source is linux-aws-6.2:
https://launchpad.net/ubuntu/jammy/+package/linux-modules-6.2.0-1018-aws

In the Packages section, we show both fields.
But in the Vulnerabilities section, we show only the package name —
to make it easier for users to find and update the package.

[rungitringit]

The ignore policy I supplied uses the PkgName field only. I did this deliberately as I don't want to have to translate package names in to any other format Trivy uses.

It seems that I'm wrong and some kernel-related AWS packages in Ubuntu start with the string: linux-aws- while most end with a -aws suffix instead. So that probably explains why I needed both formats in the last ignore policy above.