Unpatched vulnerabilities are still printed with "suppressed"

[jacopolanzonidev]

I've noticed that unpatched vulnerabilities are still printed out with "suppressed".

I am running the action with the following config:

          only-fixed: true
          output-format: table
          severity-cutoff: high

Yet, the output is as follows:

NAME                INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY              
apollo-server-core  3.10.2     3.11.0    npm   GHSA-8r69-3cvp-wxc3  Medium                 
archiver            5.3.0                npm   CVE-2006-1611        Medium (suppressed)    
archiver            5.3.0                npm   CVE-2018-25046       Critical (suppressed)  
archiver            5.3.0                npm   CVE-2019-10743       Medium (suppressed)    
...

I expected

NAME                INSTALLED  FIXED-IN  TYPE  VULNERABILITY        SEVERITY              
apollo-server-core  3.10.2     3.11.0    npm   GHSA-8r69-3cvp-wxc3  Medium                 
...

[AGandhiCraniUS]

Refer to this: Anchore Grype

[kzantow]

This definitely looks like a problem. I think we have a bit of work to do in order to better handle a bunch of different flag combinations, but we'll add this to the backlog.

[kzantow]

Developer Note: there is a --show-suppressed flag that potentially is not wired up properly, for whoever looks at this in the future.