Feat: Support Trivy status filtering (#844)

Signed-off-by: Fabian Gonzalez <fabiangonz98@gmail.com> Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>
eraser-dev · Nov 29, 2023 · 8fbd155 · 8fbd155
1 parent 55fa69a
commit 8fbd155
Show file tree

Hide file tree

Showing 10 changed files with 47 additions and 18 deletions.
diff --git a/api/unversioned/config/config.go b/api/unversioned/config/config.go
@@ -27,6 +27,7 @@ severities:
   - HIGH
   - MEDIUM
   - LOW
+ignoredStatuses:
 `
 
 type Manager struct {

diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml
@@ -69,6 +69,7 @@ components:
           - HIGH
           - MEDIUM
           - LOW
+        ignoredStatuses:
       timeout:
         total: 23h
         perImage: 1h

diff --git a/docs/docs/customization.md b/docs/docs/customization.md
@@ -178,10 +178,11 @@ vulnerabilities:
   types: # a list of vulnerability types. for more info, see trivy's documentation.
     - os
     - library
-  securityChecks: # see trivy's documentation for more invormation
+  securityChecks: # see trivy's documentation for more information
     - vuln
   severities: # in this case, only flag images with CRITICAL vulnerability for removal
     - CRITICAL
+  ignoredStatuses: # a list of trivy statuses to ignore. See https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/#by-status.
 timeout:
   total: 23h # if scanning isn't completed before this much time elapses, abort the whole scan
   perImage: 1h # if scanning a single image exceeds this time, scanning will be aborted

diff --git a/docs/docs/trivy.md b/docs/docs/trivy.md
@@ -3,4 +3,4 @@ title: Trivy
 ---
 
 ## Trivy Provider Options
-The trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.
+The Trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.
diff --git a/manifest_staging/charts/eraser/values.yaml b/manifest_staging/charts/eraser/values.yaml
@@ -72,6 +72,7 @@ runtimeConfig:
         #     - HIGH
         #     - MEDIUM
         #     - LOW
+        #   ignoredStatuses:
         # timeout:
         #   total: 23h
         #   perImage: 1h

diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml
@@ -453,6 +453,7 @@ data:
               - HIGH
               - MEDIUM
               - LOW
+            ignoredStatuses:
           timeout:
             total: 23h
             perImage: 1h

diff --git a/pkg/scanners/trivy/trivy.go b/pkg/scanners/trivy/trivy.go
@@ -36,6 +36,14 @@ const (
 	securityCheckVuln   = "vuln"
 	securityCheckConfig = "config"
 	securityCheckSecret = "secret"
+
+	statusUnknown            = "unknown"
+	statusAffected           = "affected"
+	statusFixed              = "fixed"
+	statusUnderInvestigation = "under_investigation"
+	statusWillNotFix         = "will_not_fix"
+	statusFixDeferred        = "fix_deferred"
+	statusEndOfLife          = "end_of_life"
 )
 
 var (

diff --git a/pkg/scanners/trivy/types.go b/pkg/scanners/trivy/types.go
@@ -30,6 +30,7 @@ const (
 	trivySecurityChecksFlag = "--scanners"
 	trivySeveritiesFlag     = "--severity"
 	trivyRuntimeFlag        = "--image-src"
+	trivyIgnoreStatusFlag   = "--ignore-status"
 )
 
 type (
@@ -44,10 +45,11 @@ type (
 	}
 
 	VulnConfig struct {
-		IgnoreUnfixed  bool     `json:"ignoreUnfixed,omitempty"`
-		Types          []string `json:"types,omitempty"`
-		SecurityChecks []string `json:"securityChecks,omitempty"`
-		Severities     []string `json:"severities,omitempty"`
+		IgnoreUnfixed   bool     `json:"ignoreUnfixed,omitempty"`
+		Types           []string `json:"types,omitempty"`
+		SecurityChecks  []string `json:"securityChecks,omitempty"`
+		Severities      []string `json:"severities,omitempty"`
+		IgnoredStatuses []string `json:"ignoredStatuses,omitempty"`
 	}
 
 	TimeoutConfig struct {
@@ -75,8 +77,9 @@ func DefaultConfig() *Config {
 				vulnTypeOs,
 				vulnTypeLibrary,
 			},
-			SecurityChecks: []string{securityCheckVuln},
-			Severities:     []string{severityCritical, severityHigh, severityMedium, severityLow},
+			SecurityChecks:  []string{securityCheckVuln},
+			Severities:      []string{severityCritical, severityHigh, severityMedium, severityLow},
+			IgnoredStatuses: []string{},
 		},
 		Timeout: TimeoutConfig{
 			Total:    unversioned.Duration(time.Hour * 23),
@@ -130,6 +133,11 @@ func (c *Config) cliArgs(ref string) []string {
 		args = append(args, trivySeveritiesFlag, allSeverities)
 	}
 
+	if len(c.Vulnerabilities.IgnoredStatuses) > 0 {
+		allIgnoredStatuses := strings.Join(c.Vulnerabilities.IgnoredStatuses, ",")
+		args = append(args, trivyIgnoreStatusFlag, allIgnoredStatuses)
+	}
+
 	args = append(args, ref)
 
 	return args

diff --git a/pkg/scanners/trivy/types_test.go b/pkg/scanners/trivy/types_test.go
@@ -73,6 +73,11 @@ func TestCLIArgs(t *testing.T) {
 			config:   Config{Vulnerabilities: VulnConfig{Severities: []string{"LOW", "MEDIUM"}}},
 			expected: []string{"--format=json", "image", "--image-src", "containerd", "--severity", "LOW,MEDIUM", ref},
 		},
+		{
+			desc:     "specify statuses to ignore",
+			config:   Config{Vulnerabilities: VulnConfig{IgnoredStatuses: []string{statusUnknown, statusFixed, statusWillNotFix}}},
+			expected: []string{"--format=json", "image", "--image-src", "containerd", "--ignore-status", "unknown,fixed,will_not_fix", ref},
+		},
 		{
 			desc:     "total timeout has no effect",
 			config:   Config{Timeout: TimeoutConfig{Total: testDuration}},
@@ -95,15 +100,16 @@ func TestCLIArgs(t *testing.T) {
 				Runtime: "crio",
 				DBRepo:  "example.test/db/repo",
 				Vulnerabilities: VulnConfig{
-					IgnoreUnfixed:  true,
-					Types:          []string{"library", "os"},
-					SecurityChecks: []string{"license", "vuln"},
-					Severities:     []string{"LOW", "MEDIUM"},
+					IgnoreUnfixed:   true,
+					Types:           []string{"library", "os"},
+					SecurityChecks:  []string{"license", "vuln"},
+					Severities:      []string{"LOW", "MEDIUM"},
+					IgnoredStatuses: []string{statusUnknown, statusFixed},
 				},
 			},
 			expected: []string{
 				"--format=json", "image", "--image-src", "crio", "--db-repository", "example.test/db/repo", "--ignore-unfixed",
-				"--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", ref,
+				"--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", "--ignore-status", "unknown,fixed", ref,
 			},
 		},
 		{
@@ -114,16 +120,17 @@ func TestCLIArgs(t *testing.T) {
 				Runtime:  "crio",
 				DBRepo:   "example.test/db/repo",
 				Vulnerabilities: VulnConfig{
-					IgnoreUnfixed:  true,
-					Types:          []string{"os"},
-					SecurityChecks: []string{"license", "vuln"},
-					Severities:     []string{"CRITICAL"},
+					IgnoreUnfixed:   true,
+					Types:           []string{"os"},
+					SecurityChecks:  []string{"license", "vuln"},
+					Severities:      []string{"CRITICAL"},
+					IgnoredStatuses: []string{statusUnknown, statusFixed},
 				},
 			},
 			expected: []string{
 				"--format=json", "--cache-dir", "/var/lib/trivy", "--timeout", "1m40s", "image", "--image-src", "crio",
 				"--db-repository", "example.test/db/repo", "--ignore-unfixed", "--vuln-type", "os", "--scanners",
-				"license,vuln", "--severity", "CRITICAL", ref,
+				"license,vuln", "--severity", "CRITICAL", "--ignore-status", "unknown,fixed", ref,
 			},
 		},
 	}

diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml
@@ -72,6 +72,7 @@ runtimeConfig:
         #     - HIGH
         #     - MEDIUM
         #     - LOW
+        #   ignoredStatuses:
         # timeout:
         #   total: 23h
         #   perImage: 1h
-Original file line number
+Diff line change
@@ Expand Up / @@ -27,6 +27,7 @@ severities: @@
       - HIGH
       - MEDIUM
       - LOW
+    ignoredStatuses:
     `
     type Manager struct {
@@ Expand Down @@