-
-
Notifications
You must be signed in to change notification settings - Fork 358
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add failure: ignore
to security scans
#2078
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reported CVEs should be fixed by updating the deps or added to the trivyignore list. Just effectively bypassing the entire security scan makes it IMO useless.
Of course, but especially the docs kind of fail always. It's not possible to fix vulnerabilities currently there. Thus, the pipeline fails and is reported to Github as failed, which makes the github status monitor useless. |
True, there will always be cases where the results of security scans are not accurate or can be ignored because the code base is not affected, etc. But for all these cases, we should use the methods described at https://aquasecurity.github.io/trivy/v0.43/docs/configuration/filtering/ instead of "blindly" ignoring all findings. Otherwise, we will not notice future critical vulnerabilities, and we can remove the security scan at all. |
What is blocking dependency updates for docs? Just running
|
Yes, but there are still some, right? Of course, updating is the best what you can do, but you see already some of the dependencies still have unfixed CVEs. They would fail as well. |
I have already made a suggestion for remaining ones at #2078 (comment). Just add them to |
Related-to: #2078 Remaining CVEs: ``` ❯ trivy fs --exit-code 1 --skip-dirs node_modules/,plugins/woodpecker-plugins/node_modules/ docs/ 2023-08-01T10:02:36.911+0200 INFO Vulnerability scanning is enabled 2023-08-01T10:02:36.911+0200 INFO Secret scanning is enabled 2023-08-01T10:02:36.911+0200 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2023-08-01T10:02:36.911+0200 INFO Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection 2023-08-01T10:02:36.963+0200 INFO Number of language-specific files: 1 2023-08-01T10:02:36.963+0200 INFO Detecting pnpm vulnerabilities... pnpm-lock.yaml (pnpm) Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0) ┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐ │ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │ ├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ got │ CVE-2022-33987 │ MEDIUM │ 9.6.0 │ 11.8.5, 12.1.0 │ missing verification of requested URLs allows redirects to │ │ │ │ │ │ │ UNIX sockets │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-33987 │ ├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤ │ trim │ CVE-2020-7753 │ HIGH │ 0.0.1 │ 0.0.3 │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │ │ │ │ │ │ │ trim function │ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2020-7753 │ └─────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘ ``` - `trim` is pulled in by `@docusaurus/theme-classic` and can be ignored due to facebook/docusaurus#7275 (comment) - `got` can be ignored as well, see `trim`
@qwerty287 I think we can close this one? |
Otherwise all PRs are marked as failed on github.