Hi, I'm running ACS 4.9.2 and roxctl 4.9.2
I've noticed differences in behaviour related to the .fixableCves when roxctl scanning various images:
For images with no fixable CVEs, the generated JSON may or may not include "fixableCves": 0
export SCAN_IMAGE="registry.access.redhat.com/ubi10/ubi-minimal:10.1"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify | jq '. | .fixableCves'
null
export SCAN_IMAGE="alpine:3.23"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify | jq '. | .fixableCves'
0
If I look at what fields are present:
export SCAN_IMAGE="registry.access.redhat.com/ubi10/ubi-minimal:10.1"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify | tail -10
}
],
"fetched": "2026-04-23T09:49:58.795410347Z"
},
"components": 97,
"cves": 70,
"lastUpdated": "2026-04-23T09:49:58.846701686Z",
"riskScore": 6.8999996,
"topCvss": 8.1
}export SCAN_IMAGE="alpine:3.23"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify | tail -10
"components": 16,
"cves": 0,
"fixableCves": 0,
"lastUpdated": "2026-04-23T09:50:17.312875104Z",
"riskScore": 1.3,
"notes": [
"MISSING_SIGNATURE",
"MISSING_SIGNATURE_VERIFICATION_DATA"
]
}If I try including the --output json flag, it appears the fixableCves key has been dropped?
Using alpine:3.23 there are no CVEs, and so no componentFixedVersion nor fixableCves summary:
export SCAN_IMAGE="alpine:3.23"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify --output json | grep -i fix
Using registry.access.redhat.com/ubi10/ubi-minimal:10.1 there are CVEs, but none are fixable, so componentFixedVersion are present, but there is no fixableCves summary:
export SCAN_IMAGE="registry.access.redhat.com/ubi10/ubi-minimal:10.1"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify --output json | grep -i fix
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""
"componentFixedVersion": ""Confirmation of output if fixable CVEs are present in the image (using alpine:3.19):
export SCAN_IMAGE="alpine:3.19"
roxctl image scan -f --retries=3 --retry-delay=3 --endpoint https://localhost:8443 --image $SCAN_IMAGE --insecure-skip-tls-verify --output json | grep -i fix
"componentFixedVersion": "1.36.1-r21"
"componentFixedVersion": "1.36.1-r21"
"componentFixedVersion": "1.36.1-r21"
"componentFixedVersion": "1.36.1-r21"
"componentFixedVersion": "1.2.4_git20230717-r6"
"componentFixedVersion": "1.2.4_git20230717-r6"
"componentFixedVersion": "1.2.4_git20230717-r6"
"componentFixedVersion": "1.2.4_git20230717-r6"
"componentFixedVersion": "1.36.1-r21"
"componentFixedVersion": "1.36.1-r21"I guess I therefore have three questions:
- Without the
--output flag, what is the default output style?
- Without the
--output flag, why is fixableCves sometimes not present if there are no fixable CVEs, vs other times it's set as 0?
- Why when using
--output json do I no longer get a total number of fixable CVEs included in the JSON (as this is useful for scripts to use in pipeline logging)?
Thanks in advance.
Hi, I'm running ACS 4.9.2 and roxctl 4.9.2
I've noticed differences in behaviour related to the
.fixableCveswhen roxctl scanning various images:For images with no fixable CVEs, the generated JSON may or may not include "fixableCves": 0
If I look at what fields are present:
If I try including the
--output jsonflag, it appears the fixableCves key has been dropped?Using
alpine:3.23there are no CVEs, and so nocomponentFixedVersionnorfixableCvessummary:Using
registry.access.redhat.com/ubi10/ubi-minimal:10.1there are CVEs, but none are fixable, socomponentFixedVersionare present, but there is nofixableCvessummary:Confirmation of output if fixable CVEs are present in the image (using
alpine:3.19):I guess I therefore have three questions:
--outputflag, what is the default output style?--outputflag, why is fixableCves sometimes not present if there are no fixable CVEs, vs other times it's set as 0?--output jsondo I no longer get a total number of fixable CVEs included in the JSON (as this is useful for scripts to use in pipeline logging)?Thanks in advance.