Feat: Support Trivy status filtering

api/unversioned/config/config.go

@@ -27,6 +27,7 @@ severities:
   - HIGH
   - MEDIUM
   - LOW
+ignoredStatuses:
 `
 
 type Manager struct {

config/manager/controller_manager_config.yaml

@@ -69,6 +69,7 @@ components:
           - HIGH
           - MEDIUM
           - LOW
+        ignoredStatuses:
       timeout:
         total: 23h
         perImage: 1h

docs/docs/customization.md

@@ -178,10 +178,11 @@ vulnerabilities:
   types: # a list of vulnerability types. for more info, see trivy's documentation.
     - os
     - library
-  securityChecks: # see trivy's documentation for more invormation
+  securityChecks: # see trivy's documentation for more information
     - vuln
   severities: # in this case, only flag images with CRITICAL vulnerability for removal
     - CRITICAL
+  ignoredStatuses: # a list of trivy statuses to ignore. See https://aquasecurity.github.io/trivy/v0.44/docs/configuration/filtering/#by-status.
 timeout:
   total: 23h # if scanning isn't completed before this much time elapses, abort the whole scan
   perImage: 1h # if scanning a single image exceeds this time, scanning will be aborted

docs/docs/trivy.md

@@ -3,4 +3,4 @@ title: Trivy
 ---
 
 ## Trivy Provider Options
-The trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.
+The Trivy provider is used in Eraser for image scanning and detecting vulnerabilities. See [Customization](https://eraser-dev.github.io/eraser/docs/customization#scanner-options) for more details on configuring the scanner.

manifest_staging/charts/eraser/values.yaml

@@ -72,6 +72,7 @@ runtimeConfig:
         #     - HIGH
         #     - MEDIUM
         #     - LOW
+        #   ignoredStatuses:
         # timeout:
         #   total: 23h
         #   perImage: 1h

manifest_staging/deploy/eraser.yaml

@@ -453,6 +453,7 @@ data:
               - HIGH
               - MEDIUM
               - LOW
+            ignoredStatuses:
           timeout:
             total: 23h
             perImage: 1h

pkg/scanners/trivy/trivy.go

@@ -36,6 +36,14 @@ const (
 	securityCheckVuln   = "vuln"
 	securityCheckConfig = "config"
 	securityCheckSecret = "secret"
+
+	statusUnknown            = "unknown"
+	statusAffected           = "affected"
+	statusFixed              = "fixed"
+	statusUnderInvestigation = "under_investigation"
+	statusWillNotFix         = "will_not_fix"
+	statusFixDeferred        = "fix_deferred"
+	statusEndOfLife          = "end_of_life"
 )
 
 var (

pkg/scanners/trivy/types.go

@@ -30,6 +30,7 @@ const (
 	trivySecurityChecksFlag = "--scanners"
 	trivySeveritiesFlag     = "--severity"
 	trivyRuntimeFlag        = "--image-src"
+	trivyIgnoreStatusFlag   = "--ignore-status"
 )
 
 type (
@@ -44,10 +45,11 @@ type (
 	}
 
 	VulnConfig struct {
-		IgnoreUnfixed  bool     `json:"ignoreUnfixed,omitempty"`
-		Types          []string `json:"types,omitempty"`
-		SecurityChecks []string `json:"securityChecks,omitempty"`
-		Severities     []string `json:"severities,omitempty"`
+		IgnoreUnfixed   bool     `json:"ignoreUnfixed,omitempty"`
+		Types           []string `json:"types,omitempty"`
+		SecurityChecks  []string `json:"securityChecks,omitempty"`
+		Severities      []string `json:"severities,omitempty"`
+		IgnoredStatuses []string `json:"ignoredStatuses,omitempty"`
 	}
 
 	TimeoutConfig struct {
@@ -75,8 +77,9 @@ func DefaultConfig() *Config {
 				vulnTypeOs,
 				vulnTypeLibrary,
 			},
-			SecurityChecks: []string{securityCheckVuln},
-			Severities:     []string{severityCritical, severityHigh, severityMedium, severityLow},
+			SecurityChecks:  []string{securityCheckVuln},
+			Severities:      []string{severityCritical, severityHigh, severityMedium, severityLow},
+			IgnoredStatuses: []string{},
 		},
 		Timeout: TimeoutConfig{
 			Total:    unversioned.Duration(time.Hour * 23),
@@ -130,6 +133,11 @@ func (c *Config) cliArgs(ref string) []string {
 		args = append(args, trivySeveritiesFlag, allSeverities)
 	}
 
+	if len(c.Vulnerabilities.IgnoredStatuses) > 0 {
+		allIgnoredStatuses := strings.Join(c.Vulnerabilities.IgnoredStatuses, ",")
+		args = append(args, trivyIgnoreStatusFlag, allIgnoredStatuses)
+	}
+
 	args = append(args, ref)
 
 	return args

pkg/scanners/trivy/types_test.go

@@ -73,6 +73,11 @@ func TestCLIArgs(t *testing.T) {
 			config:   Config{Vulnerabilities: VulnConfig{Severities: []string{"LOW", "MEDIUM"}}},
 			expected: []string{"--format=json", "image", "--image-src", "containerd", "--severity", "LOW,MEDIUM", ref},
 		},
+		{
+			desc:     "specify statuses to ignore",
+			config:   Config{Vulnerabilities: VulnConfig{IgnoredStatuses: []string{statusUnknown, statusFixed, statusWillNotFix}}},
+			expected: []string{"--format=json", "image", "--image-src", "containerd", "--ignore-status", "unknown,fixed,will_not_fix", ref},
+		},
 		{
 			desc:     "total timeout has no effect",
 			config:   Config{Timeout: TimeoutConfig{Total: testDuration}},
@@ -95,15 +100,16 @@ func TestCLIArgs(t *testing.T) {
 				Runtime: "crio",
 				DBRepo:  "example.test/db/repo",
 				Vulnerabilities: VulnConfig{
-					IgnoreUnfixed:  true,
-					Types:          []string{"library", "os"},
-					SecurityChecks: []string{"license", "vuln"},
-					Severities:     []string{"LOW", "MEDIUM"},
+					IgnoreUnfixed:   true,
+					Types:           []string{"library", "os"},
+					SecurityChecks:  []string{"license", "vuln"},
+					Severities:      []string{"LOW", "MEDIUM"},
+					IgnoredStatuses: []string{statusUnknown, statusFixed},
 				},
 			},
 			expected: []string{
 				"--format=json", "image", "--image-src", "crio", "--db-repository", "example.test/db/repo", "--ignore-unfixed",
-				"--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", ref,
+				"--vuln-type", "library,os", "--scanners", "license,vuln", "--severity", "LOW,MEDIUM", "--ignore-status", "unknown,fixed", ref,
 			},
 		},
 		{
@@ -114,16 +120,17 @@ func TestCLIArgs(t *testing.T) {
 				Runtime:  "crio",
 				DBRepo:   "example.test/db/repo",
 				Vulnerabilities: VulnConfig{
-					IgnoreUnfixed:  true,
-					Types:          []string{"os"},
-					SecurityChecks: []string{"license", "vuln"},
-					Severities:     []string{"CRITICAL"},
+					IgnoreUnfixed:   true,
+					Types:           []string{"os"},
+					SecurityChecks:  []string{"license", "vuln"},
+					Severities:      []string{"CRITICAL"},
+					IgnoredStatuses: []string{statusUnknown, statusFixed},
 				},
 			},
 			expected: []string{
 				"--format=json", "--cache-dir", "/var/lib/trivy", "--timeout", "1m40s", "image", "--image-src", "crio",
 				"--db-repository", "example.test/db/repo", "--ignore-unfixed", "--vuln-type", "os", "--scanners",
-				"license,vuln", "--severity", "CRITICAL", ref,
+				"license,vuln", "--severity", "CRITICAL", "--ignore-status", "unknown,fixed", ref,
 			},
 		},
 	}

third_party/open-policy-agent/gatekeeper/helmify/static/values.yaml

@@ -72,6 +72,7 @@ runtimeConfig:
         #     - HIGH
         #     - MEDIUM
         #     - LOW
+        #   ignoredStatuses:
         # timeout:
         #   total: 23h
         #   perImage: 1h