trivvy filtering

2024-11-22 07:23:09 +01:00 · 2023-11-22 15:51:05 +00:00 · 2023-11-22 15:51:05 +00:00 · 65aa157d24
commit 65aa157d24
parent c5269e2e27
2 changed files with 51 additions and 1 deletions
--- a/ci-scripts/scan
+++ b/ci-scripts/scan
@ -29,7 +29,7 @@ set -x

 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 trivy_dir="${SCRIPT_DIR}/trivy"
-trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --cache-dir $HOME/.trivycache $options"
+trivy_cmd="$trivy_dir/trivy $scan_cmd --no-progress --ignore-unfixed --ignore-policy ${SCRIPT_DIR}/vulnerability-filter.rego --cache-dir $HOME/.trivycache $options"
 source_dir="${CI_PROJECT_DIR:-$trivy_dir}"

 build_report
--- a/ci-scripts/vulnerability-filter.rego
+++ b/ci-scripts/vulnerability-filter.rego
@ -0,0 +1,50 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+# KASM-5262 - False positives in libssl1.1 library that is manually installed on some distros
+ignore {
+	input.PkgName == "libssl1.1"
+    input.InstalledVersion == "1.1.1f-1ubuntu2.20"
+
+	# Evaluate CWE-ID
+	deny_vulnerability_ids := {
+		"CVE-2021-3449",
+		"CVE-2021-3711",
+        "CVE-2022-0778",
+        "CVE-2022-3602",
+        "CVE-2022-3786",
+        "CVE-2023-0286",
+		"CVE-2021-3712",
+		"CVE-2021-4044",
+		"CVE-2022-1292",
+		"CVE-2022-1343",
+		"CVE-2022-2068",
+		"CVE-2022-2097",
+		"CVE-2022-4203",
+		"CVE-2022-4304",
+		"CVE-2022-4450",
+		"CVE-2023-0215",
+		"CVE-2023-0216",
+		"CVE-2023-0217",
+		"CVE-2023-0401",
+		"CVE-2023-2650",
+		"CVE-2023-5363",
+		"CVE-2021-23840",
+		"CVE-2022-1434",
+		"CVE-2022-1473",
+		"CVE-2022-3358",
+		"CVE-2022-3996",
+		"CVE-2023-0464",
+		"CVE-2023-0465",
+		"CVE-2023-0466",
+		"CVE-2023-1255",
+		"CVE-2023-2975",
+		"CVE-2023-3446",
+		"CVE-2023-3817"
+	}
+
+	input.VulnerabilityID == deny_vulnerability_ids[_]
+}