Skip to content

Commit

Permalink
feat: add support for .trivyignore.yaml (#5070)
Browse files Browse the repository at this point in the history
* feat: add support for .trivyignore.yaml

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* add test for trivyignore.yaml

* Add doublestar support

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* go mod tidy

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* update docs

* test: fix

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix: load .trivyignore once

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* feat: add a debug log

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* docs: add a table for fields

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* fix: skip empty results

Signed-off-by: knqyf263 <knqyf263@gmail.com>

* revert the change

Signed-off-by: knqyf263 <knqyf263@gmail.com>

---------

Signed-off-by: knqyf263 <knqyf263@gmail.com>
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
  • Loading branch information
knqyf263 and DmitriyLewen authored Aug 31, 2023
1 parent 4547e27 commit 9628b1c
Show file tree
Hide file tree
Showing 12 changed files with 1,124 additions and 728 deletions.
93 changes: 92 additions & 1 deletion docs/docs/configuration/filtering.md
Original file line number Diff line number Diff line change
Expand Up @@ -204,14 +204,17 @@ See https://avd.aquasec.com/misconfig/avd-aws-0081
## By Finding IDs
Trivy supports the [.trivyignore](#trivyignore) and [.trivyignore.yaml](#trivyignoreyaml) ignore files.
### .trivyignore
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability ||
| Misconfiguration ||
| Secret ||
| License | |
Use `.trivyignore`.
```bash
$ cat .trivyignore
Expand Down Expand Up @@ -251,6 +254,92 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
</details>
### .trivyignore.yaml
| Scanner | Supported |
|:----------------:|:---------:|
| Vulnerability ||
| Misconfiguration ||
| Secret ||
| License ||
!!! warning "EXPERIMENTAL"
This feature might change without preserving backwards compatibility.
When the extension of the specified ignore file is either `.yml` or `.yaml`, Trivy will load the file as YAML.
For the `.trivyignore.yaml` file, you can set ignored IDs separately for `vulnerabilities`, `misconfigurations`, `secrets`, or `licenses`[^1].
Available fields:
| Field | Required | Type | Description |
|------------|:--------:|---------------------|------------------------------------------------------------------------------------------------------------|
| id || string | The identifier of the vulnerability, misconfiguration, secret, or license[^1]. |
| paths | | string array | The list of file paths to be ignored. If `paths` is not set, the ignore finding is applied to all files. |
| expired_at | | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
| statement | | string | The reason for ignoring the finding. (This field is not used for filtering.) |
```bash
$ cat .trivyignore.yaml
vulnerabilities:
- id: CVE-2022-40897
paths:
- "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA"
statement: Accept the risk
- id: CVE-2023-2650
- id: CVE-2023-3446
- id: CVE-2023-3817
- id: CVE-2023-29491
expired_at: 2023-09-01
misconfigurations:
- id: AVD-DS-0001
- id: AVD-DS-0002
paths:
- "docs/Dockerfile"
statement: The image needs root privileges
secrets:
- id: aws-access-key-id
- id: aws-secret-access-key
paths:
- "foo/bar/aws.secret"
licenses:
- id: GPL-3.0 # License name is used as ID
paths:
- "usr/share/gcc/python/libstdcxx/v6/__init__.py"
```
Since this feature is experimental, you must explicitly specify the YAML file path using the `--ignorefile` flag.
Once this functionality is stable, the YAML file will be loaded automatically.
```bash
$ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
```
<details>
<summary>Result</summary>
```bash
2023-08-31T11:10:27.155+0600 INFO Vulnerability scanning is enabled
2023-08-31T11:10:27.155+0600 INFO Secret scanning is enabled
2023-08-31T11:10:27.155+0600 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-31T11:10:27.155+0600 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
2023-08-31T11:10:29.164+0600 INFO Detected OS: alpine
2023-08-31T11:10:29.164+0600 INFO Detecting Alpine vulnerabilities...
2023-08-31T11:10:29.169+0600 INFO Number of language-specific files: 1
2023-08-31T11:10:29.170+0600 INFO Detecting python-pkg vulnerabilities...
python:3.9.16-alpine3.16 (alpine 3.16.5)
========================================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
```
</details>
## By Vulnerability Target
| Scanner | Supported |
|:----------------:|:---------:|
Expand Down Expand Up @@ -425,3 +514,5 @@ resource "google_container_cluster" "one_off_test" {
location = var.region
}
```
[^1]: license name is used as id for `.trivyignore.yaml` files
3 changes: 1 addition & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ require (
github.com/aws/aws-sdk-go-v2/config v1.18.25
github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0
github.com/aws/aws-sdk-go-v2/service/sts v1.21.0
github.com/bmatcuk/doublestar v1.3.4
github.com/bmatcuk/doublestar/v4 v4.6.0
github.com/cenkalti/backoff v2.2.1+incompatible
github.com/cheggaaa/pb/v3 v3.1.2
github.com/containerd/containerd v1.7.3
Expand Down Expand Up @@ -196,7 +196,6 @@ require (
github.com/aws/smithy-go v1.14.0 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
github.com/briandowns/spinner v1.23.0 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
Expand Down
2 changes: 0 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -521,8 +521,6 @@ github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngE
github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
github.com/bmatcuk/doublestar/v4 v4.6.0 h1:HTuxyug8GyFbRkrffIpzNCSK4luc0TY3wzXvzIZhEXc=
github.com/bmatcuk/doublestar/v4 v4.6.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=
Expand Down
2 changes: 1 addition & 1 deletion pkg/cloud/report/report.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func Write(rep *Report, opt flag.Options, fromCache bool) error {
for _, resultsAtTime := range rep.Results {
for _, res := range resultsAtTime.Results {
resCopy := res
if err := result.FilterResult(ctx, &resCopy, result.FilterOption{
if err := result.FilterResult(ctx, &resCopy, result.IgnoreConfig{}, result.FilterOption{
Severities: opt.Severities,
IncludeNonFailures: opt.IncludeNonFailures,
}); err != nil {
Expand Down
4 changes: 1 addition & 3 deletions pkg/commands/artifact/run.go
Original file line number Diff line number Diff line change
Expand Up @@ -273,11 +273,9 @@ func (r *runner) scanArtifact(ctx context.Context, opts flag.Options, initialize

func (r *runner) Filter(ctx context.Context, opts flag.Options, report types.Report) (types.Report, error) {
// Filter results
err := result.Filter(ctx, report, opts.FilterOpts())
if err != nil {
if err := result.Filter(ctx, report, opts.FilterOpts()); err != nil {
return types.Report{}, xerrors.Errorf("filtering error: %w", err)
}

return report, nil
}

Expand Down
8 changes: 6 additions & 2 deletions pkg/fanal/walker/walk.go
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import (
"path/filepath"
"strings"

"github.com/bmatcuk/doublestar"
"github.com/bmatcuk/doublestar/v4"

"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
"github.com/aquasecurity/trivy/pkg/fanal/utils"
Expand All @@ -15,7 +15,11 @@ import (
var (
// These variables are exported so that a tool importing Trivy as a library can override these values.
AppDirs = []string{".git"}
SystemDirs = []string{"proc", "sys", "dev"}
SystemDirs = []string{
"proc",
"sys",
"dev",
}
)

const (
Expand Down
7 changes: 7 additions & 0 deletions pkg/log/logger.go
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,10 @@ func Fatal(err error) {
}
Logger.Fatal(err)
}

func String(key, val string) zap.Field {
if key == "" || val == "" {
return zap.Skip()
}
return zap.String(key, val)
}
Loading

0 comments on commit 9628b1c

Please sign in to comment.