From 571473788086be23836ce6d8b05ceed68d445bff Mon Sep 17 00:00:00 2001 From: Jake Hutchinson Date: Thu, 14 Mar 2024 12:33:06 +0000 Subject: [PATCH 1/3] Support allow lists in Trivy --- .../stackhpc-container-image-build.yml | 4 ++++ etc/kayobe/trivy/allowed-vulnerabilities.yml | 18 ++++++++++++++++++ tools/scan-images.sh | 14 ++++++++++++++ 3 files changed, 36 insertions(+) create mode 100644 etc/kayobe/trivy/allowed-vulnerabilities.yml diff --git a/.github/workflows/stackhpc-container-image-build.yml b/.github/workflows/stackhpc-container-image-build.yml index 5ff351a63..8e79d73ea 100644 --- a/.github/workflows/stackhpc-container-image-build.yml +++ b/.github/workflows/stackhpc-container-image-build.yml @@ -136,6 +136,10 @@ jobs: run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.49.0 + - name: Install yq + run: | + curl -sL https://github.com/mikefarah/yq/releases/download/v4.42.1/yq_linux_amd64.tar.gz | tar xz && sudo mv yq_linux_amd64 /usr/bin/yq + - name: Install Kayobe run: | mkdir -p venvs && diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml new file mode 100644 index 000000000..1f0cad2f8 --- /dev/null +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -0,0 +1,18 @@ +--- +############################################################################### +# Trivy allowed vulnerabilities list + +# Example allowed vulnerabilities file setup +# +# keystone_allowed_vulnerabilities: +# - CVE-2022-2447 +# +# barbican-api_allowed_vulnerabilities: +# - CVE-2023-31047 + +global_allowed_vulnerabilities: + - CVE-2024-36039 + +############################################################################### +# Dummy variable to allow Ansible to accept this file. +workaround_ansible_issue_8743: yes diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 74223ad90..805b6b313 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -34,6 +34,19 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt # generate a csv summary for image in $images; do filename=$(basename $image | sed 's/:/\./g') + imagename=$(echo $filename | cut -d "." -f 1) + global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml) + image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml) + rc=$? + touch .trivyignore + for vulnerability in $global_vulnerabilities; do + echo $vulnerability >> .trivyignore + done + for vulnerability in $image_vulnerabilities; do + if [ $rc -eq 0 ]; then + echo $vulnerability >> .trivyignore + fi + done if $(trivy image \ --quiet \ --exit-code 1 \ @@ -76,4 +89,5 @@ for image in $images; do | .[] | @csv' image-scan-output/${filename}.json >> image-scan-output/${filename}.summary.csv fi + rm .trivyignore done From f65f55bc5c9322698be195860f2e984800b8229c Mon Sep 17 00:00:00 2001 From: Jake Hutchinson Date: Mon, 10 Jun 2024 15:44:24 +0100 Subject: [PATCH 2/3] Various Trivy whitelist fixes Substitute underscore in imagename for consistent formatting in whitelists file and remove unnecessary return code checking --- etc/kayobe/trivy/allowed-vulnerabilities.yml | 2 +- tools/scan-images.sh | 7 ++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml index 1f0cad2f8..dc9abe1a3 100644 --- a/etc/kayobe/trivy/allowed-vulnerabilities.yml +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -7,7 +7,7 @@ # keystone_allowed_vulnerabilities: # - CVE-2022-2447 # -# barbican-api_allowed_vulnerabilities: +# barbican_api_allowed_vulnerabilities: # - CVE-2023-31047 global_allowed_vulnerabilities: diff --git a/tools/scan-images.sh b/tools/scan-images.sh index 805b6b313..b8cde6ede 100755 --- a/tools/scan-images.sh +++ b/tools/scan-images.sh @@ -34,18 +34,15 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt # generate a csv summary for image in $images; do filename=$(basename $image | sed 's/:/\./g') - imagename=$(echo $filename | cut -d "." -f 1) + imagename=$(echo $filename | cut -d "." -f 1 | sed 's/-/_/g') global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml) image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml) - rc=$? touch .trivyignore for vulnerability in $global_vulnerabilities; do echo $vulnerability >> .trivyignore done for vulnerability in $image_vulnerabilities; do - if [ $rc -eq 0 ]; then - echo $vulnerability >> .trivyignore - fi + echo $vulnerability >> .trivyignore done if $(trivy image \ --quiet \ From 8ed7e8a639a219ba1d5a359bb48d9c7f607710b7 Mon Sep 17 00:00:00 2001 From: Jake Hutchinson Date: Thu, 27 Jun 2024 13:45:37 +0100 Subject: [PATCH 3/3] Remove CVE-2024-36039 from whitelist Remove CVE-2024-36039 from the Trivy whitelist and move to the example file setup to illustrate the global_allowed_vulnerabilities variable can be used to whitelist vulnerabilities in all images. --- etc/kayobe/trivy/allowed-vulnerabilities.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/etc/kayobe/trivy/allowed-vulnerabilities.yml b/etc/kayobe/trivy/allowed-vulnerabilities.yml index dc9abe1a3..d2e490a74 100644 --- a/etc/kayobe/trivy/allowed-vulnerabilities.yml +++ b/etc/kayobe/trivy/allowed-vulnerabilities.yml @@ -4,15 +4,15 @@ # Example allowed vulnerabilities file setup # +# global_allowed_vulnerabilities: +# - CVE-2024-36039 +# # keystone_allowed_vulnerabilities: # - CVE-2022-2447 # # barbican_api_allowed_vulnerabilities: # - CVE-2023-31047 -global_allowed_vulnerabilities: - - CVE-2024-36039 - ############################################################################### # Dummy variable to allow Ansible to accept this file. workaround_ansible_issue_8743: yes