Skip to content

Commit

Permalink
Feat: Support Trivy status filtering (eraser-dev#844)
Browse files Browse the repository at this point in the history
Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>
  • Loading branch information
2 people authored and ashnamehrotra committed Jan 25, 2024
1 parent 92504f4 commit 7c6c22c
Show file tree
Hide file tree
Showing 10 changed files with 47 additions and 18 deletions.
1 change: 1 addition & 0 deletions api/unversioned/config/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ severities:
- HIGH
- MEDIUM
- LOW
ignoredStatuses:
`

type Manager struct {
Expand Down
1 change: 1 addition & 0 deletions config/manager/controller_manager_config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ components:
- HIGH
- MEDIUM
- LOW
ignoredStatuses:
timeout:
total: 23h
perImage: 1h
Expand Down
3 changes: 2 additions & 1 deletion docs/docs/customization.md
Original file line number Diff line number Diff line change
Expand Up @@ -178,10 +178,11 @@ vulnerabilities:
types: # a list of vulnerability types. for more info, see trivy's documentation.
- os
- library
securityChecks: # see trivy's documentation for more invormation
securityChecks: # see trivy's documentation for more information
- vuln
severities: # in this case, only flag images with CRITICAL vulnerability for removal
- CRITICAL
ignoredStatuses: # a list of trivy statuses to ignore. See https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/#by-status.
timeout:
total: 23h # if scanning isn't completed before this much time elapses, abort the whole scan
perImage: 1h # if scanning a single image exceeds this time, scanning will be aborted
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/trivy.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ title: Trivy
---

## Trivy Provider Options
The trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.
The Trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.
1 change: 1 addition & 0 deletions manifest_staging/charts/eraser/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ runtimeConfig:
# - HIGH
# - MEDIUM
# - LOW
# ignoredStatuses:
# timeout:
# total: 23h
# perImage: 1h
Expand Down
1 change: 1 addition & 0 deletions manifest_staging/deploy/eraser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -453,6 +453,7 @@ data:
- HIGH
- MEDIUM
- LOW
ignoredStatuses:
timeout:
total: 23h
perImage: 1h
Expand Down
8 changes: 8 additions & 0 deletions pkg/scanners/trivy/trivy.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ const (
securityCheckVuln = "vuln"
securityCheckConfig = "config"
securityCheckSecret = "secret"

statusUnknown = "unknown"
statusAffected = "affected"
statusFixed = "fixed"
statusUnderInvestigation = "under_investigation"
statusWillNotFix = "will_not_fix"
statusFixDeferred = "fix_deferred"
statusEndOfLife = "end_of_life"
)

var (
Expand Down
20 changes: 14 additions & 6 deletions pkg/scanners/trivy/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ const (
trivySecurityChecksFlag = "--scanners"
trivySeveritiesFlag = "--severity"
trivyRuntimeFlag = "--image-src"
trivyIgnoreStatusFlag = "--ignore-status"
)

type (
Expand All @@ -44,10 +45,11 @@ type (
}

VulnConfig struct {
IgnoreUnfixed bool `json:"ignoreUnfixed,omitempty"`
Types []string `json:"types,omitempty"`
SecurityChecks []string `json:"securityChecks,omitempty"`
Severities []string `json:"severities,omitempty"`
IgnoreUnfixed bool `json:"ignoreUnfixed,omitempty"`
Types []string `json:"types,omitempty"`
SecurityChecks []string `json:"securityChecks,omitempty"`
Severities []string `json:"severities,omitempty"`
IgnoredStatuses []string `json:"ignoredStatuses,omitempty"`
}

TimeoutConfig struct {
Expand Down Expand Up @@ -75,8 +77,9 @@ func DefaultConfig() *Config {
vulnTypeOs,
vulnTypeLibrary,
},
SecurityChecks: []string{securityCheckVuln},
Severities: []string{severityCritical, severityHigh, severityMedium, severityLow},
SecurityChecks: []string{securityCheckVuln},
Severities: []string{severityCritical, severityHigh, severityMedium, severityLow},
IgnoredStatuses: []string{},
},
Timeout: TimeoutConfig{
Total: unversioned.Duration(time.Hour * 23),
Expand Down Expand Up @@ -130,6 +133,11 @@ func (c *Config) cliArgs(ref string) []string {
args = append(args, trivySeveritiesFlag, allSeverities)
}

if len(c.Vulnerabilities.IgnoredStatuses) > 0 {
allIgnoredStatuses := strings.Join(c.Vulnerabilities.IgnoredStatuses, ",")
args = append(args, trivyIgnoreStatusFlag, allIgnoredStatuses)
}

args = append(args, ref)

return args
Expand Down
27 changes: 17 additions & 10 deletions pkg/scanners/trivy/types_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,11 @@ func TestCLIArgs(t *testing.T) {
config: Config{Vulnerabilities: VulnConfig{Severities: []string{"LOW", "MEDIUM"}}},
expected: []string{"--format=json", "image", "--image-src", "containerd", "--severity", "LOW,MEDIUM", ref},
},
{
desc: "specify statuses to ignore",
config: Config{Vulnerabilities: VulnConfig{IgnoredStatuses: []string{statusUnknown, statusFixed, statusWillNotFix}}},
expected: []string{"--format=json", "image", "--image-src", "containerd", "--ignore-status", "unknown,fixed,will_not_fix", ref},
},
{
desc: "total timeout has no effect",
config: Config{Timeout: TimeoutConfig{Total: testDuration}},
Expand All @@ -95,15 +100,16 @@ func TestCLIArgs(t *testing.T) {
Runtime: "crio",
DBRepo: "example.test/db/repo",
Vulnerabilities: VulnConfig{
IgnoreUnfixed: true,
Types: []string{"library", "os"},
SecurityChecks: []string{"license", "vuln"},
Severities: []string{"LOW", "MEDIUM"},
IgnoreUnfixed: true,
Types: []string{"library", "os"},
SecurityChecks: []string{"license", "vuln"},
Severities: []string{"LOW", "MEDIUM"},
IgnoredStatuses: []string{statusUnknown, statusFixed},
},
},
expected: []string{
"--format=json", "image", "--image-src", "crio", "--db-repository", "example.test/db/repo", "--ignore-unfixed",
"--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", ref,
"--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", "--ignore-status", "unknown,fixed", ref,
},
},
{
Expand All @@ -114,16 +120,17 @@ func TestCLIArgs(t *testing.T) {
Runtime: "crio",
DBRepo: "example.test/db/repo",
Vulnerabilities: VulnConfig{
IgnoreUnfixed: true,
Types: []string{"os"},
SecurityChecks: []string{"license", "vuln"},
Severities: []string{"CRITICAL"},
IgnoreUnfixed: true,
Types: []string{"os"},
SecurityChecks: []string{"license", "vuln"},
Severities: []string{"CRITICAL"},
IgnoredStatuses: []string{statusUnknown, statusFixed},
},
},
expected: []string{
"--format=json", "--cache-dir", "/var/lib/trivy", "--timeout", "1m40s", "image", "--image-src", "crio",
"--db-repository", "example.test/db/repo", "--ignore-unfixed", "--vuln-type", "os", "--scanners",
"license,vuln", "--severity", "CRITICAL", ref,
"license,vuln", "--severity", "CRITICAL", "--ignore-status", "unknown,fixed", ref,
},
},
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ runtimeConfig:
# - HIGH
# - MEDIUM
# - LOW
# ignoredStatuses:
# timeout:
# total: 23h
# perImage: 1h
Expand Down

0 comments on commit 7c6c22c

Please sign in to comment.