trivvy filtering

2024-11-22 15:33:08 +01:00 · 2023-11-22 15:51:05 +00:00 · 2023-11-22 15:51:05 +00:00 · 65aa157d24
commit 65aa157d24
parent c5269e2e27
2 changed files with 51 additions and 1 deletions
--- a/ci-scripts/scan
+++ b/ci-scripts/scan
@ -29,7 +29,7 @@ set -x
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 trivy_dir="${SCRIPT_DIR}/trivy"
-trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options"
+trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options"
 source_dir="${CI_PROJECT_DIR:-$trivy_dir}"
 build_report
--- a/ci-scripts/vulnerability-filter.rego
+++ b/ci-scripts/vulnerability-filter.rego
@ -0,0 +1,50 @@
 package trivy
 import data.lib.trivy
 default ignore = false
 # KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros
 ignore {
 	input.PkgName == "libssl1.1"
    input.InstalledVersion == "1.1.1f-1ubuntu2.20"
 	# Evaluate CWE-ID
 	deny_vulnerability_ids := {
 		"CVE-2021-3449",
 		"CVE-2021-3711",
        "CVE-2022-0778",
        "CVE-2022-3602",
        "CVE-2022-3786",
        "CVE-2023-0286",
 		"CVE-2021-3712",
 		"CVE-2021-4044",
 		"CVE-2022-1292",
 		"CVE-2022-1343",
 		"CVE-2022-2068",
 		"CVE-2022-2097",
 		"CVE-2022-4203",
 		"CVE-2022-4304",
 		"CVE-2022-4450",
 		"CVE-2023-0215",
 		"CVE-2023-0216",
 		"CVE-2023-0217",
 		"CVE-2023-0401",
 		"CVE-2023-2650",
 		"CVE-2023-5363",
 		"CVE-2021-23840",
 		"CVE-2022-1434",
 		"CVE-2022-1473",
 		"CVE-2022-3358",
 		"CVE-2022-3996",
 		"CVE-2023-0464",
 		"CVE-2023-0465",
 		"CVE-2023-0466",
 		"CVE-2023-1255",
 		"CVE-2023-2975",
 		"CVE-2023-3446",
 		"CVE-2023-3817"
 	}
 	input.VulnerabilityID == deny_vulnerability_ids[_]
 }