Skip to content

Commit

Permalink
feat(vuln): ignore vulnerabilities by PURL (aquasecurity#6178)
Browse files Browse the repository at this point in the history
Signed-off-by: knqyf263 <knqyf263@gmail.com>
  • Loading branch information
knqyf263 authored Feb 22, 2024
1 parent ce81c05 commit cd3e4bc
Show file tree
Hide file tree
Showing 5 changed files with 145 additions and 68 deletions.
15 changes: 9 additions & 6 deletions docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -335,12 +335,13 @@ For the `.trivyignore.yaml` file, you can set ignored IDs separately for `vulner
Available fields:
| Field | Required | Type | Description |
|------------|:--------:|---------------------|------------------------------------------------------------------------------------------------------------|
| id || string | The identifier of the vulnerability, misconfiguration, secret, or license[^1]. |
| paths[^2] | | string array | The list of file paths to be ignored. If `paths` is not set, the ignore finding is applied to all files. |
| expired_at | | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
| statement | | string | The reason for ignoring the finding. (This field is not used for filtering.) |
| Field | Required | Type | Description |
|------------|:--------:|---------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| id || string | The identifier of the vulnerability, misconfiguration, secret, or license[^1]. |
| paths[^2] | | string array | The list of file paths to ignore. If `paths` is not set, the ignore finding is applied to all files. |
| purls | | string array | The list of PURLs to ignore packages. If `purls` is not set, the ignore finding is applied to all packages. This field is currently available only for vulnerabilities. |
| expired_at | | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
| statement | | string | The reason for ignoring the finding. (This field is not used for filtering.) |
```bash
$ cat .trivyignore.yaml
Expand All @@ -352,6 +353,8 @@ vulnerabilities:
- id: CVE-2023-2650
- id: CVE-2023-3446
- id: CVE-2023-3817
purls:
- "pkg:deb/debian/libssl1.1"
- id: CVE-2023-29491
expired_at: 2023-09-01
Expand Down
8 changes: 4 additions & 4 deletions pkg/result/filter.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,7 +113,7 @@ func filterVulnerabilities(result *types.Result, severities []string, ignoreStat
}

// Filter by ignore file
if f := ignoreConfig.MatchVulnerability(vuln.VulnerabilityID, result.Target, vuln.PkgPath); f != nil {
if f := ignoreConfig.MatchVulnerability(vuln.VulnerabilityID, result.Target, vuln.PkgPath, vuln.PkgIdentifier.PURL); f != nil {
result.ModifiedFindings = append(result.ModifiedFindings,
types.NewModifiedFinding(vuln, types.FindingStatusIgnored, f.Statement, ignoreConfig.FilePath))
continue
Expand Down Expand Up @@ -188,9 +188,9 @@ func filterSecrets(result *types.Result, severities []string, ignoreConfig Ignor

func filterLicenses(result *types.Result, severities, ignoreLicenseNames []string, ignoreConfig IgnoreConfig) {
// Merge ignore license names into ignored findings
var ignoreLicenses IgnoreFindings
var ignoreLicenses IgnoreConfig
for _, licenseName := range ignoreLicenseNames {
ignoreLicenses = append(ignoreLicenses, IgnoreFinding{
ignoreLicenses.Licenses = append(ignoreLicenses.Licenses, IgnoreFinding{
ID: licenseName,
})
}
Expand All @@ -203,7 +203,7 @@ func filterLicenses(result *types.Result, severities, ignoreLicenseNames []strin
}

// Filter by `--ignored-licenses`
if f := ignoreLicenses.Match(l.Name, l.FilePath); f != nil {
if f := ignoreLicenses.MatchLicense(l.Name, l.FilePath); f != nil {
result.ModifiedFindings = append(result.ModifiedFindings,
types.NewModifiedFinding(l, types.FindingStatusIgnored, "", "--ignored-licenses"))
continue
Expand Down
92 changes: 59 additions & 33 deletions pkg/result/filter_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,31 @@ func TestFilter(t *testing.T) {
PkgName: "foo",
InstalledVersion: "1.2.3",
FixedVersion: "1.2.4",
PkgIdentifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/aquasecurity",
Name: "foo",
Version: "1.2.3",
},
},
Vulnerability: dbTypes.Vulnerability{
Severity: dbTypes.SeverityLow.String(),
},
}
vuln7 = types.DetectedVulnerability{
VulnerabilityID: "CVE-2019-0007",
PkgName: "bar",
InstalledVersion: "2.3.4",
FixedVersion: "2.3.5",
PkgIdentifier: ftypes.PkgIdentifier{
PURL: &packageurl.PackageURL{
Type: packageurl.TypeGolang,
Namespace: "github.com/aquasecurity",
Name: "bar",
Version: "2.3.4",
},
},
Vulnerability: dbTypes.Vulnerability{
Severity: dbTypes.SeverityLow.String(),
},
Expand Down Expand Up @@ -117,7 +142,7 @@ func TestFilter(t *testing.T) {
}
secret1 = types.DetectedSecret{
RuleID: "generic-wanted-rule",
Severity: dbTypes.SeverityLow.String(),
Severity: dbTypes.SeverityHigh.String(),
Title: "Secret that should pass filter on rule id",
StartLine: 1,
EndLine: 2,
Expand Down Expand Up @@ -174,30 +199,16 @@ func TestFilter(t *testing.T) {
Results: []types.Result{
{
Vulnerabilities: []types.DetectedVulnerability{
vuln1,
vuln1, // filtered
vuln2,
},
Misconfigurations: []types.DetectedMisconfiguration{
misconf1,
misconf2,
misconf2, // filtered
},
Secrets: []types.DetectedSecret{
{
RuleID: "generic-critical-rule",
Severity: dbTypes.SeverityCritical.String(),
Title: "Critical Secret should pass filter",
StartLine: 1,
EndLine: 2,
Match: "*****",
},
{
RuleID: "generic-low-rule",
Severity: dbTypes.SeverityLow.String(),
Title: "Low Secret should be ignored",
StartLine: 3,
EndLine: 4,
Match: "*****",
},
secret1,
secret2, // filtered
},
},
},
Expand All @@ -222,14 +233,7 @@ func TestFilter(t *testing.T) {
misconf1,
},
Secrets: []types.DetectedSecret{
{
RuleID: "generic-critical-rule",
Severity: dbTypes.SeverityCritical.String(),
Title: "Critical Secret should pass filter",
StartLine: 1,
EndLine: 2,
Match: "*****",
},
secret1,
},
},
},
Expand Down Expand Up @@ -325,7 +329,7 @@ func TestFilter(t *testing.T) {
Target: "deployment.yaml",
Class: types.ClassConfig,
Misconfigurations: []types.DetectedMisconfiguration{
misconf1, // filtered by severity
misconf1,
misconf2,
misconf3,
},
Expand All @@ -339,7 +343,10 @@ func TestFilter(t *testing.T) {
},
},
},
severities: []dbTypes.Severity{dbTypes.SeverityLow},
severities: []dbTypes.Severity{
dbTypes.SeverityLow,
dbTypes.SeverityHigh,
},
ignoreFile: "testdata/.trivyignore",
},
want: types.Report{
Expand Down Expand Up @@ -377,9 +384,12 @@ func TestFilter(t *testing.T) {
Class: types.ClassConfig,
MisconfSummary: &types.MisconfSummary{
Successes: 1,
Failures: 0,
Failures: 1,
Exceptions: 1,
},
Misconfigurations: []types.DetectedMisconfiguration{
misconf1,
},
ModifiedFindings: []types.ModifiedFinding{
{
Type: types.FindingTypeMisconfiguration,
Expand Down Expand Up @@ -420,12 +430,13 @@ func TestFilter(t *testing.T) {
vuln4,
vuln5, // ignored
vuln6,
vuln7, // filtered by PURL
},
},
{
Target: "app/Dockerfile",
Misconfigurations: []types.DetectedMisconfiguration{
misconf1, // filtered by severity
misconf1, // ignored
misconf2, // ignored
misconf3,
},
Expand All @@ -448,7 +459,10 @@ func TestFilter(t *testing.T) {
},
},
ignoreFile: "testdata/.trivyignore.yaml",
severities: []dbTypes.Severity{dbTypes.SeverityLow},
severities: []dbTypes.Severity{
dbTypes.SeverityLow,
dbTypes.SeverityHigh,
},
},
want: types.Report{
Results: types.Results{
Expand Down Expand Up @@ -477,19 +491,31 @@ func TestFilter(t *testing.T) {
Source: "testdata/.trivyignore.yaml",
Finding: vuln5,
},
{
Type: types.FindingTypeVulnerability,
Status: types.FindingStatusIgnored,
Source: "testdata/.trivyignore.yaml",
Finding: vuln7,
},
},
},
{
Target: "app/Dockerfile",
MisconfSummary: &types.MisconfSummary{
Successes: 0,
Failures: 1,
Exceptions: 1,
Exceptions: 2,
},
Misconfigurations: []types.DetectedMisconfiguration{
misconf3,
},
ModifiedFindings: []types.ModifiedFinding{
{
Type: types.FindingTypeMisconfiguration,
Status: types.FindingStatusIgnored,
Source: "testdata/.trivyignore.yaml",
Finding: misconf1,
},
{
Type: types.FindingTypeMisconfiguration,
Status: types.FindingStatusIgnored,
Expand Down
Loading

0 comments on commit cd3e4bc

Please sign in to comment.