Severity in a trivy config file is ignored for license scan

[erzz]

Description

Starting with version v0.56.0, and given a config file such as below:

format: table
exit-code: 1
severity:
  - HIGH
  - CRITICAL
ignorefile: .trivyignore
scan:
  scanners:
    - license

license:
  full: false
  forbidden:
    - AGPL-1.0
    - AGPL-3.0
    - AGPL-3.0-or-later
# lots more entries
  ignored: []
  notice:
    - AFL-1.1
    - AFL-1.2
# lots more entries
  permissive:
    - BlueOak-1.0.0
    - (MIT AND Zlib)
    - (MIT OR Apache-2.0)
# lots more entries
  reciprocal:
    - APSL-1.0
    - APSL-1.1
    - APSL-1.2
    - APSL-2.0
#lots more entries
  restricted:
    - BCL
    - CC-BY-SA-1.0
    - CC-BY-SA-2.0
    - CC-BY-SA-2.5
# lots more entries
  unencumbered:
    - CC0-1.0
    - ODC-By-1.0
    - Unlicense
# lots more entries

Trivy exits with status code 1 for all severities including medium and low. This was not the case previously.

The workaround is to pass severity as a flag to the input also, but of course most workflows depended on the config file only which we provide centrally.

Desired Behavior

Should only exit 1 for license findings with HIGH or CRITICAL when using the config file

Actual Behavior

exit 1 for all findings regardless of severity unless we additionally provide the CLI flag

Reproduction Steps

Execution of a license scan, with custom configuration including specification of severity criteria for failing

Target

Filesystem

Scanner

License

Output Format

Table

Mode

Standalone

Debug Output

N/A

Operating System

Ubuntu latest runners in github

Version

v0.56.1 (trivy-action v0.26.0)

Checklist

• Run trivy clean --all
• Read the troubleshooting

[knqyf263]

It's not a problem in Trivy, but in trivy-action. We're working to fix this issue.
aquasecurity/trivy-action#405

[erzz]

Awesome! Much appreciated!