Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support for trivy status #821

Closed
sozercan opened this issue Aug 5, 2023 · 4 comments · Fixed by #844
Closed

support for trivy status #821

sozercan opened this issue Aug 5, 2023 · 4 comments · Fixed by #844
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@sozercan
Copy link
Member

sozercan commented Aug 5, 2023

Describe the solution you'd like
[A clear and concise description of what you want to happen.]

allow filtering by vuln status

https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/#by-status

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Eraser version:
  • Kubernetes version: (use kubectl version):
@sozercan sozercan added the enhancement New feature or request label Aug 5, 2023
@salaxander salaxander added this to the v1.4.0 milestone Aug 28, 2023
@inFocus7
Copy link
Contributor

inFocus7 commented Aug 29, 2023

Hi! 👋🏼 Was this planned to be picked up by someone else (sozercan) or could I?
I see it's on the 1.4 milestone, with latest LTS release being 1.2, so not sure if this is planned to just be left until the time comes. for December 2023 on the public roadmap.

If I can pick it up, it looks not too bad. I'm thinking of updating the helm template to allow for an extra field

ignoredStatuses:
# - will_not_fix
# - <... + other ones from the trivy filter page>

then updating our Trivy CLI go code to use the above values as its arguments to --ignore-status <ignoredStatuses,>


Ah actually looks like scanner.config has a multiline string with vulnerabilities under it, so may not update helm template, but whatever parses it to get the new ignoredStatuses field idea.

@salaxander salaxander modified the milestones: v1.4.0, v1.3.0 Aug 29, 2023
@sozercan
Copy link
Member Author

sozercan commented Aug 29, 2023

@inFocus7 hello! 👋 we would love the contribution!

This would be a similar type of field as these (types, security checks, severities) in the configmap:

Types: []string{
vulnTypeOs,
vulnTypeLibrary,
},
SecurityChecks: []string{securityCheckVuln},
Severities: []string{severityCritical, severityHigh, severityMedium, severityLow},
and depending on the user specified values it'll ignore those statuses (such as not_affected).
if len(c.Vulnerabilities.Types) > 0 {
allVulnTypes := strings.Join(c.Vulnerabilities.Types, ",")
args = append(args, trivyVulnTypesFlag, allVulnTypes)
}
if len(c.Vulnerabilities.SecurityChecks) > 0 {
allSecurityChecks := strings.Join(c.Vulnerabilities.SecurityChecks, ",")
args = append(args, trivySecurityChecksFlag, allSecurityChecks)
}
if len(c.Vulnerabilities.Severities) > 0 {
allSeverities := strings.Join(c.Vulnerabilities.Severities, ",")
args = append(args, trivySeveritiesFlag, allSeverities)
}

Please let me know if this answers your question and gives you info to get started.

@inFocus7
Copy link
Contributor

Awesome, thank you!

I just put up a draft PR that I worked on yesterday. I'll still need to manually test that it acts as expected before being confident enough to un-draft it 👍🏼

@inFocus7
Copy link
Contributor

inFocus7 commented Aug 30, 2023

I'd say I'm very close to the finish line. I manually verified it and added my verification steps on the PR.

A final question/unknown is: Did I update every relevant area to expose ignoredStatuses both dev & user-facing?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

5 participants