Support allow lists in Trivy

assumptionsandg · assumptionsandg · commit 9a596e6ce1ee · 2024-06-07T11:05:58.000+01:00
diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml
@@ -37,8 +37,7 @@ on:
         description: Push scanned images that have vulnerabilities?
         type: boolean
         required: false
-        # NOTE(Alex-Welsh): This default should be flipped once we resolve existing failures
-        default: true
+        default: false
 
 env:
   ANSIBLE_FORCE_COLOR: True
@@ -136,6 +135,10 @@ jobs:
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0
 
+      - name: Install yq
+        run: |
+          curl -sL https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq
+
       - name: Install Kayobe
         run: |
           mkdir -p venvs &&
diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml
@@ -0,0 +1,18 @@
+---
+###############################################################################
+# Trivy allowed vulnerabilities list
+
+# Example allowed vulnerabilities file setup
+#
+# keystone_allowed_vulnerabilities:
+#   - CVE-2022-2447
+#
+# barbican-api_allowed_vulnerabilities:
+#   - CVE-2023-31047
+
+global_allowed_vulnerabilities:
+  - CVE-2024-36039
+
+###############################################################################
+# Dummy variable to allow Ansible to accept this file.
+workaround_ansible_issue_8743: yes
diff --git a/tools/scan-images.sh b/tools/scan-images.sh
@@ -34,12 +34,25 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
 # generate a csv summary
 for image in $images; do
   filename=$(basename $image | sed 's/:/\./g')
+  imagename=$(echo $filename | cut -d "." -f 1)
+  global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
+  image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
+  rc=$?
+  touch .trivyignore
+  for vulnerability in $global_vulnerabilities; do
+    echo $vulnerability >> .trivyignore
+  done
+  for vulnerability in $image_vulnerabilities; do
+    if [ $rc -eq 0 ]; then
+        echo $vulnerability >> .trivyignore
+    fi
+  done
   if $(trivy image \
           --quiet \
           --exit-code 1 \
           --scanners vuln \
           --format json \
-          --severity HIGH,CRITICAL \
+          --severity CRITICAL \
           --output image-scan-output/${filename}.json \
           --ignore-unfixed \
           $image); then
@@ -76,4 +89,5 @@ for image in $images; do
             | .[] 
             | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv
   fi
+  rm .trivyignore
 done
