From cff3e9a7f62c41dd51975266d0ae235709e39c41 Mon Sep 17 00:00:00 2001 From: simar7 <1254783+simar7@users.noreply.github.com> Date: Wed, 1 Feb 2023 16:40:29 -0800 Subject: [PATCH] feat(trivy): Bump Trivy to v0.37.1 (#199) Signed-off-by: Simar --- .github/workflows/build.yaml | 2 +- Dockerfile | 2 +- test/data/config-sarif.test | 56 +++++++++++++++++++++++++++++++++++- test/data/config.test | 30 +++++++++++++++++-- test/data/fs-scheck.test | 30 +++++++++++++++++-- test/data/image-sarif.test | 2 +- 6 files changed, 114 insertions(+), 8 deletions(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2e54c72..4218861 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -1,7 +1,7 @@ name: "build" on: [push, pull_request] env: - TRIVY_VERSION: 0.34.0 + TRIVY_VERSION: 0.37.1 BATS_LIB_PATH: '/usr/lib/' jobs: build: diff --git a/Dockerfile b/Dockerfile index 9e0d609..194cb65 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/aquasecurity/trivy:0.34.0 +FROM ghcr.io/aquasecurity/trivy:0.37.1 COPY entrypoint.sh / RUN apk --no-cache add bash curl npm RUN chmod +x /entrypoint.sh diff --git a/test/data/config-sarif.test b/test/data/config-sarif.test index 2dc4fad..62aa67b 100644 --- a/test/data/config-sarif.test +++ b/test/data/config-sarif.test @@ -35,9 +35,36 @@ "HIGH" ] } + }, + { + "id": "DS026", + "name": "Misconfiguration", + "shortDescription": { + "text": "No HEALTHCHECK defined" + }, + "fullDescription": { + "text": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." + }, + "defaultConfiguration": { + "level": "note" + }, + "helpUri": "https://avd.aquasec.com/misconfig/ds026", + "help": { + "text": "Misconfiguration DS026\nType: Dockerfile Security Check\nSeverity: LOW\nCheck: No HEALTHCHECK defined\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "markdown": "**Misconfiguration DS026**\n| Type | Severity | Check | Message | Link |\n| --- | --- | --- | --- | --- |\n|Dockerfile Security Check|LOW|No HEALTHCHECK defined|Add HEALTHCHECK instruction in your Dockerfile|[DS026](https://avd.aquasec.com/misconfig/ds026)|\n\nYou shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers." + }, + "properties": { + "precision": "very-high", + "security-severity": "2.0", + "tags": [ + "misconfiguration", + "security", + "LOW" + ] + } } ], - "version": "0.34.0" + "version": "0.37.1" } }, "results": [ @@ -67,6 +94,33 @@ } } ] + }, + { + "ruleId": "DS026", + "ruleIndex": 1, + "level": "note", + "message": { + "text": "Artifact: Dockerfile\nType: dockerfile\nVulnerability DS026\nSeverity: LOW\nMessage: Add HEALTHCHECK instruction in your Dockerfile\nLink: [DS026](https://avd.aquasec.com/misconfig/ds026)" + }, + "locations": [ + { + "physicalLocation": { + "artifactLocation": { + "uri": "Dockerfile", + "uriBaseId": "ROOTPATH" + }, + "region": { + "startLine": 1, + "startColumn": 1, + "endLine": 1, + "endColumn": 1 + } + }, + "message": { + "text": "Dockerfile" + } + } + ] } ], "columnKind": "utf16CodeUnits", diff --git a/test/data/config.test b/test/data/config.test index d75ec79..a245130 100644 --- a/test/data/config.test +++ b/test/data/config.test @@ -20,8 +20,8 @@ "Class": "config", "Type": "dockerfile", "MisconfSummary": { - "Successes": 21, - "Failures": 1, + "Successes": 22, + "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ @@ -50,6 +50,32 @@ "Lines": null } } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } } ] } diff --git a/test/data/fs-scheck.test b/test/data/fs-scheck.test index d75ec79..a245130 100644 --- a/test/data/fs-scheck.test +++ b/test/data/fs-scheck.test @@ -20,8 +20,8 @@ "Class": "config", "Type": "dockerfile", "MisconfSummary": { - "Successes": 21, - "Failures": 1, + "Successes": 22, + "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ @@ -50,6 +50,32 @@ "Lines": null } } + }, + { + "Type": "Dockerfile Security Check", + "ID": "DS026", + "AVDID": "AVD-DS-0026", + "Title": "No HEALTHCHECK defined", + "Description": "You shoud add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.", + "Message": "Add HEALTHCHECK instruction in your Dockerfile", + "Namespace": "builtin.dockerfile.DS026", + "Query": "data.builtin.dockerfile.DS026.deny", + "Resolution": "Add HEALTHCHECK instruction in Dockerfile", + "Severity": "LOW", + "PrimaryURL": "https://avd.aquasec.com/misconfig/ds026", + "References": [ + "https://blog.aquasec.com/docker-security-best-practices", + "https://avd.aquasec.com/misconfig/ds026" + ], + "Status": "FAIL", + "Layer": {}, + "CauseMetadata": { + "Provider": "Dockerfile", + "Service": "general", + "Code": { + "Lines": null + } + } } ] } diff --git a/test/data/image-sarif.test b/test/data/image-sarif.test index ae8439c..ae71dee 100644 --- a/test/data/image-sarif.test +++ b/test/data/image-sarif.test @@ -37,7 +37,7 @@ } } ], - "version": "0.34.0" + "version": "0.37.1" } }, "results": [