Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(trivy): Bump to support v0.56.1 #387

Merged
merged 6 commits into from
Oct 7, 2024
Merged

feat(trivy): Bump to support v0.56.1 #387

merged 6 commits into from
Oct 7, 2024

Conversation

simar7
Copy link
Member

@simar7 simar7 commented Sep 17, 2024

No description provided.

@simar7 simar7 requested a review from nikpivkin September 17, 2024 22:45
@simar7 simar7 changed the title feat(trivy): Bump to support v0.55.1 feat(trivy): Bump to support v0.55.2 Sep 17, 2024
@simar7 simar7 force-pushed the upgrade-v0.55.1 branch 2 times, most recently from 66e9e1a to 8327bc0 Compare September 17, 2024 22:54
@simar7
Copy link
Member Author

simar7 commented Sep 17, 2024

@nikpivkin any idea why the tests are red in the CI? Locally I don't see any failures.

 BATS_LIB_PATH=/opt/homebrew/lib TRIVY_DISABLE_VEX_NOTICE=true bats -r -T .
./test/test.bats
 ✓ trivy repo with securityCheck secret only [1000]
 ✓ trivy image [1000]
 ✓ trivy config sarif report [1000]
 ✓ trivy config [1000]
 ✓ trivy rootfs [1000]
 ✓ trivy fs [1000]
 ✓ trivy image with trivyIgnores option [1000]
 ✓ trivy image with sbom output [1000]
 ✓ trivy image with trivy.yaml config [1000]
 ✓ trivy image with custom docker-host [1000]
 ✓ trivy config with terraform variables [1000]

11 tests, 0 failures in 12 seconds

@nikpivkin
Copy link
Contributor

@simar7 The tests use the trivy-checks bundle snapshot stored in this repository, but running the tests locally uses checks from the Trivy cache, so the test result is different. I will open a separate PR with an update to the Makefile to make the local test run consistent with CI.

This is the difference in local run on the main branch:

✗ trivy config sarif report [607]
   (from function `assert_files_equal' in file /opt/homebrew/lib/bats-file/src/file.bash, line 266,
    from function `compare_files' in file ./test/test.bats, line 54,
    in test file ./test/test.bats, line 72)
     `compare_files config-sarif.sarif ./test/data/config-sarif-report/report.sarif' failed
   Building SARIF report with options:  ./test/data/config-sarif-report/main.tf
   3c3
   <   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
   ---
   >   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   3c3
   <   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
   ---
   >   "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
   
   -- files are not the same --
   path : config-sarif.sarif
   path : ./test/data/config-sarif-report/report.sarif
   --

@simar7 simar7 force-pushed the upgrade-v0.55.1 branch 2 times, most recently from cd2dfcc to 65f8c7e Compare October 2, 2024 23:49
@simar7 simar7 changed the title feat(trivy): Bump to support v0.55.2 feat(trivy): Bump to support v0.56.0 Oct 2, 2024
@simar7 simar7 marked this pull request as draft October 2, 2024 23:51
@simar7 simar7 closed this Oct 2, 2024
@simar7 simar7 reopened this Oct 2, 2024
@simar7
Copy link
Member Author

simar7 commented Oct 2, 2024

@nikpivkin I've updated the PR to Trivy v0.56.0, when it is released we can merge this one in.

Dockerfile Outdated Show resolved Hide resolved
@simar7 simar7 marked this pull request as ready for review October 3, 2024 18:14
@simar7
Copy link
Member Author

simar7 commented Oct 3, 2024

@nikpivkin could you take another look?

Comment on lines -12 to -17
{
"id": "AVD-AWS-0086",
"name": "Misconfiguration",
"shortDescription": {
"text": "S3 Access block should block public ACL"
},
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

does this make sense to you @nikpivkin? I understand that the Go rule was deprecated but should the Rego rule in it's place still pick this up?

@simar7 simar7 changed the title feat(trivy): Bump to support v0.56.0 feat(trivy): Bump to support v0.56.1 Oct 3, 2024
@nikpivkin
Copy link
Contributor

nikpivkin commented Oct 4, 2024

@simar7 We need to update the checks bundle since Trivy now uses version 1. Can you run this workflow? I don't have permission to do that. But before that, we need to update this workflow to pull the first version. I'll open the PR.

@nikpivkin
Copy link
Contributor

@simar7 #398

@simar7
Copy link
Member Author

simar7 commented Oct 4, 2024

@simar7 #398

I already did 066a168 and ran that locally to generate the bats test outputs. Does it look the same for you?

@nikpivkin
Copy link
Contributor

The tests use checks bundle from here and it is not updated

@eliflores
Copy link

Refs #400

@simar7 simar7 merged commit f781cce into master Oct 7, 2024
3 checks passed
@simar7 simar7 deleted the upgrade-v0.55.1 branch October 7, 2024 20:14
knqyf263 pushed a commit to knqyf263/trivy-action that referenced this pull request Oct 8, 2024
* feat(trivy): Bump to support v0.55.2

* fix tests

* update github workflow

* upgrade to v0.56.0

* bump to trivy v0.56.1

* update tests
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants