Add an --ignore-unfixable flag

[AshkanRafiee]

While we are using Images (ex. Elasticsearch) with Latest Stable Version provided by official repositories, vulnerabilities related to dependencies that are being used by Main package are not-fixable by simply updating them and updating could result in version/dependency desync and incompatibility issues.
It could be very useful to detect or ignore these vulnerabilities or simply check if you are using updated image tag, ignore the vulnerabilities related to main package dependencies.

I really appreciate your work, the best CScanning by far.

[erikgb]

The --ignore-unfixed option is available: https://aquasecurity.github.io/trivy/dev/docs/vulnerability/examples/filter/#hide-unfixed-vulnerabilities. Does this solve your use case?

[AshkanRafiee]

The --ignore-unfixed flag hides vulnerabilities that doesn't have any patch/update to fix corresponding security issue.
This issue refers to something else. For better understanding, consider the following Story:
There is a Main Parent Package (ex. Maven, Elasticsearch, etc.) that is using some dependencies (ex. log4j 1.xx).
You cannot simply fix the problem by upgrading log4j to fixed version because the parent package should release new version and fix that, then you can upgrade Maven that will bump log4j to newer version. otherwise you will face dependency desync, backward compatibility issues, etc.
I was wondering is that possible to add some flag like --ignore-unfixable to avoid reporting child packages that we cannot upgrade due to parent package requirements?!