From 65aa157d24b7990bb276aa617a1247af551380c2 Mon Sep 17 00:00:00 2001 From: Matthew McClaskey Date: Wed, 22 Nov 2023 15:51:05 +0000 Subject: [PATCH] trivvy filtering --- ci-scripts/scan | 2 +- ci-scripts/vulnerability-filter.rego | 50 ++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 1 deletion(-) create mode 100644 ci-scripts/vulnerability-filter.rego diff --git a/ci-scripts/scan b/ci-scripts/scan index b5f0977..4c93d17 100644 --- a/ci-scripts/scan +++ b/ci-scripts/scan @@ -29,7 +29,7 @@ set -x SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd ) trivy_dir="${SCRIPT_DIR}/trivy" -trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options" +trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options" source_dir="${CI_PROJECT_DIR:-$trivy_dir}" build_report diff --git a/ci-scripts/vulnerability-filter.rego b/ci-scripts/vulnerability-filter.rego new file mode 100644 index 0000000..71be791 --- /dev/null +++ b/ci-scripts/vulnerability-filter.rego @@ -0,0 +1,50 @@ +package trivy + +import data.lib.trivy + +default ignore = false + +# KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros +ignore { + input.PkgName == "libssl1.1" + input.InstalledVersion == "1.1.1f-1ubuntu2.20" + + # Evaluate CWE-ID + deny_vulnerability_ids := { + "CVE-2021-3449", + "CVE-2021-3711", + "CVE-2022-0778", + "CVE-2022-3602", + "CVE-2022-3786", + "CVE-2023-0286", + "CVE-2021-3712", + "CVE-2021-4044", + "CVE-2022-1292", + "CVE-2022-1343", + "CVE-2022-2068", + "CVE-2022-2097", + "CVE-2022-4203", + "CVE-2022-4304", + "CVE-2022-4450", + "CVE-2023-0215", + "CVE-2023-0216", + "CVE-2023-0217", + "CVE-2023-0401", + "CVE-2023-2650", + "CVE-2023-5363", + "CVE-2021-23840", + "CVE-2022-1434", + "CVE-2022-1473", + "CVE-2022-3358", + "CVE-2022-3996", + "CVE-2023-0464", + "CVE-2023-0465", + "CVE-2023-0466", + "CVE-2023-1255", + "CVE-2023-2975", + "CVE-2023-3446", + "CVE-2023-3817" + } + + input.VulnerabilityID == deny_vulnerability_ids[_] +} \ No newline at end of file