diff --git a/api/unversioned/config/config.go b/api/unversioned/config/config.go index 02bb1856a5..c469755bfe 100644 --- a/api/unversioned/config/config.go +++ b/api/unversioned/config/config.go @@ -27,6 +27,7 @@ severities: - HIGH - MEDIUM - LOW +ignoredStatuses: ` type Manager struct { diff --git a/config/manager/controller_manager_config.yaml b/config/manager/controller_manager_config.yaml index e891d050c4..e871c65a38 100644 --- a/config/manager/controller_manager_config.yaml +++ b/config/manager/controller_manager_config.yaml @@ -69,6 +69,7 @@ components: - HIGH - MEDIUM - LOW + ignoredStatuses: timeout: total: 23h perImage: 1h diff --git a/docs/docs/customization.md b/docs/docs/customization.md index 51a9e5bf91..b321cd5c46 100644 --- a/docs/docs/customization.md +++ b/docs/docs/customization.md @@ -178,10 +178,11 @@ vulnerabilities: types: # a list of vulnerability types. for more info, see trivy's documentation. - os - library - securityChecks: # see trivy's documentation for more invormation + securityChecks: # see trivy's documentation for more information - vuln severities: # in this case, only flag images with CRITICAL vulnerability for removal - CRITICAL + ignoredStatuses: # a list of trivy statuses to ignore. See https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/#by-status. timeout: total: 23h # if scanning isn't completed before this much time elapses, abort the whole scan perImage: 1h # if scanning a single image exceeds this time, scanning will be aborted diff --git a/docs/docs/trivy.md b/docs/docs/trivy.md index 7b531b240c..d19e9777db 100644 --- a/docs/docs/trivy.md +++ b/docs/docs/trivy.md @@ -3,4 +3,4 @@ title: Trivy --- ## Trivy Provider Options -The trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner. +The Trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner. diff --git a/manifest_staging/charts/eraser/values.yaml b/manifest_staging/charts/eraser/values.yaml index 9a58c912ab..aed59757ee 100644 --- a/manifest_staging/charts/eraser/values.yaml +++ b/manifest_staging/charts/eraser/values.yaml @@ -72,6 +72,7 @@ runtimeConfig: # - HIGH # - MEDIUM # - LOW + # ignoredStatuses: # timeout: # total: 23h # perImage: 1h diff --git a/manifest_staging/deploy/eraser.yaml b/manifest_staging/deploy/eraser.yaml index 7a5eee8d24..06f7fc5856 100644 --- a/manifest_staging/deploy/eraser.yaml +++ b/manifest_staging/deploy/eraser.yaml @@ -453,6 +453,7 @@ data: - HIGH - MEDIUM - LOW + ignoredStatuses: timeout: total: 23h perImage: 1h diff --git a/pkg/scanners/trivy/trivy.go b/pkg/scanners/trivy/trivy.go index 71bf330a73..8a1ceed5ef 100644 --- a/pkg/scanners/trivy/trivy.go +++ b/pkg/scanners/trivy/trivy.go @@ -36,6 +36,14 @@ const ( securityCheckVuln = "vuln" securityCheckConfig = "config" securityCheckSecret = "secret" + + statusUnknown = "unknown" + statusAffected = "affected" + statusFixed = "fixed" + statusUnderInvestigation = "under_investigation" + statusWillNotFix = "will_not_fix" + statusFixDeferred = "fix_deferred" + statusEndOfLife = "end_of_life" ) var ( diff --git a/pkg/scanners/trivy/types.go b/pkg/scanners/trivy/types.go index 3d91a22514..e6972a3ad3 100644 --- a/pkg/scanners/trivy/types.go +++ b/pkg/scanners/trivy/types.go @@ -30,6 +30,7 @@ const ( trivySecurityChecksFlag = "--scanners" trivySeveritiesFlag = "--severity" trivyRuntimeFlag = "--image-src" + trivyIgnoreStatusFlag = "--ignore-status" ) type ( @@ -44,10 +45,11 @@ type ( } VulnConfig struct { - IgnoreUnfixed bool `json:"ignoreUnfixed,omitempty"` - Types []string `json:"types,omitempty"` - SecurityChecks []string `json:"securityChecks,omitempty"` - Severities []string `json:"severities,omitempty"` + IgnoreUnfixed bool `json:"ignoreUnfixed,omitempty"` + Types []string `json:"types,omitempty"` + SecurityChecks []string `json:"securityChecks,omitempty"` + Severities []string `json:"severities,omitempty"` + IgnoredStatuses []string `json:"ignoredStatuses,omitempty"` } TimeoutConfig struct { @@ -75,8 +77,9 @@ func DefaultConfig() *Config { vulnTypeOs, vulnTypeLibrary, }, - SecurityChecks: []string{securityCheckVuln}, - Severities: []string{severityCritical, severityHigh, severityMedium, severityLow}, + SecurityChecks: []string{securityCheckVuln}, + Severities: []string{severityCritical, severityHigh, severityMedium, severityLow}, + IgnoredStatuses: []string{}, }, Timeout: TimeoutConfig{ Total: unversioned.Duration(time.Hour * 23), @@ -130,6 +133,11 @@ func (c *Config) cliArgs(ref string) []string { args = append(args, trivySeveritiesFlag, allSeverities) } + if len(c.Vulnerabilities.IgnoredStatuses) > 0 { + allIgnoredStatuses := strings.Join(c.Vulnerabilities.IgnoredStatuses, ",") + args = append(args, trivyIgnoreStatusFlag, allIgnoredStatuses) + } + args = append(args, ref) return args diff --git a/pkg/scanners/trivy/types_test.go b/pkg/scanners/trivy/types_test.go index d3e6f19260..bc41ff75f7 100644 --- a/pkg/scanners/trivy/types_test.go +++ b/pkg/scanners/trivy/types_test.go @@ -73,6 +73,11 @@ func TestCLIArgs(t *testing.T) { config: Config{Vulnerabilities: VulnConfig{Severities: []string{"LOW", "MEDIUM"}}}, expected: []string{"--format=json", "image", "--image-src", "containerd", "--severity", "LOW,MEDIUM", ref}, }, + { + desc: "specify statuses to ignore", + config: Config{Vulnerabilities: VulnConfig{IgnoredStatuses: []string{statusUnknown, statusFixed, statusWillNotFix}}}, + expected: []string{"--format=json", "image", "--image-src", "containerd", "--ignore-status", "unknown,fixed,will_not_fix", ref}, + }, { desc: "total timeout has no effect", config: Config{Timeout: TimeoutConfig{Total: testDuration}}, @@ -95,15 +100,16 @@ func TestCLIArgs(t *testing.T) { Runtime: "crio", DBRepo: "example.test/db/repo", Vulnerabilities: VulnConfig{ - IgnoreUnfixed: true, - Types: []string{"library", "os"}, - SecurityChecks: []string{"license", "vuln"}, - Severities: []string{"LOW", "MEDIUM"}, + IgnoreUnfixed: true, + Types: []string{"library", "os"}, + SecurityChecks: []string{"license", "vuln"}, + Severities: []string{"LOW", "MEDIUM"}, + IgnoredStatuses: []string{statusUnknown, statusFixed}, }, }, expected: []string{ "--format=json", "image", "--image-src", "crio", "--db-repository", "example.test/db/repo", "--ignore-unfixed", - "--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", ref, + "--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", "--ignore-status", "unknown,fixed", ref, }, }, { @@ -114,16 +120,17 @@ func TestCLIArgs(t *testing.T) { Runtime: "crio", DBRepo: "example.test/db/repo", Vulnerabilities: VulnConfig{ - IgnoreUnfixed: true, - Types: []string{"os"}, - SecurityChecks: []string{"license", "vuln"}, - Severities: []string{"CRITICAL"}, + IgnoreUnfixed: true, + Types: []string{"os"}, + SecurityChecks: []string{"license", "vuln"}, + Severities: []string{"CRITICAL"}, + IgnoredStatuses: []string{statusUnknown, statusFixed}, }, }, expected: []string{ "--format=json", "--cache-dir", "/var/lib/trivy", "--timeout", "1m40s", "image", "--image-src", "crio", "--db-repository", "example.test/db/repo", "--ignore-unfixed", "--vuln-type", "os", "--scanners", - "license,vuln", "--severity", "CRITICAL", ref, + "license,vuln", "--severity", "CRITICAL", "--ignore-status", "unknown,fixed", ref, }, }, } diff --git a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml index 9a58c912ab..aed59757ee 100644 --- a/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml +++ b/third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml @@ -72,6 +72,7 @@ runtimeConfig: # - HIGH # - MEDIUM # - LOW + # ignoredStatuses: # timeout: # total: 23h # perImage: 1h