Merge branch 'main_datarobot' into update_0.57.0

datarobot · Nov 14, 2024 · 352c20b · 352c20b
2 parents bdfcc19 + d4590db
commit 352c20b
Show file tree

Hide file tree

Showing 7 changed files with 254 additions and 11 deletions.
diff --git a/DATAROBOT_RELEASE.md b/DATAROBOT_RELEASE.md
@@ -0,0 +1,53 @@
+## How to release our fork
+
+It uses goreleaser: https://goreleaser.com/customization/release/#github
+
+What you need to release?
+
+`GITHUB_TOKEN` set to a GitHub API token that has release permissions
+
+Logged into Docker Hub with a user that has permission to write images to datarobotdev/trivy
+
+Make a tag that represents the version we are "forking".
+
+I typically pick the latest release from the upstream, for example v0.48.3
+
+I would do
+
+```
+git checkout v0.48.3
+git checkout -b u/v0.48.3
+git checkout main_datarobot
+git rebase u/v0.48.3
+git push -f
+git tag v0.48.3-dr1
+git push origin v0.48.3-dr1
+```
+then I'm ready to run the releaser that will build and push everything
+
+To try out the release and make sure it should work:
+
+https://goreleaser.com/quick-start/?h=dry+run#dry-run
+
+
+```
+goreleaser -f goreleaser-datarobot.yml build --clean
+```
+
+Make sure that works then:
+
+```
+goreleaser -f goreleaser-datarobot.yml release --clean
+
+```
+
+You probably will have some docker error:
+
+```
+docker context use default
+```
+should fix it, then run again
+
+
+To update the drone-trivy plugin, just run the main branch build from the harness ui.
+It is built from the latest tag of our forked trivy repo
diff --git a/contrib/csv.tpl b/contrib/csv.tpl
@@ -0,0 +1,8 @@
+VulnerabilityID,Severity,PackageName,InstalledVersion,FixedVersion,PackagePath,Target
+{{- range . }}
+{{- $target := .Target -}}
+{{- if (gt (len .Vulnerabilities) 0) }}
+{{- range .Vulnerabilities }}
+"{{- .VulnerabilityID | replace "\"" "\"\"" }}","{{- .Vulnerability.Severity | replace "\"" "\"\"" }}","{{- .PkgName | replace "\"" "\"\""}}","{{- .InstalledVersion | replace "\"" "\"\"" }}","{{- .FixedVersion | replace "\"" "\"\"" }}","{{- .PkgPath | replace "\"" "\"\"" }}","{{- $target | replace "\"" "\"\"" }}",{{- end }}
+{{- end -}}
+{{- end }}
diff --git a/contrib/html.tpl b/contrib/html.tpl
@@ -25,6 +25,9 @@
       table {
         margin: 0 auto;
       }
+      .pkg-path {
+        white-space: normal;
+      }
       .severity {
         text-align: center;
         font-weight: bold;
@@ -52,7 +55,7 @@
       }
       a.toggle-more-links { cursor: pointer; }
     </style>
-    <title>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }} </title>
+    <title>Trivy Report - {{ now }}</title>
     <script>
       window.onload = function() {
         document.querySelectorAll('td.links').forEach(function(linkCell) {
@@ -82,19 +85,22 @@
     </script>
   </head>
   <body>
-    <h1>{{- escapeXML ( index . 0 ).Target }} - Trivy Report - {{ now }}</h1>
+    <h1>Trivy Report - {{ now }}</h1>
     <table>
     {{- range . }}
-      <tr class="group-header"><th colspan="6">{{ .Type | toString | escapeXML }}</th></tr>
+    <tr class="group-header">
+      <th colspan="7">Target: {{ escapeXML .Target }} &mdash;</th>
+    </tr>
       {{- if (eq (len .Vulnerabilities) 0) }}
-      <tr><th colspan="6">No Vulnerabilities found</th></tr>
+      <tr><th colspan="7">No Vulnerabilities found</th></tr>
       {{- else }}
       <tr class="sub-header">
         <th>Package</th>
         <th>Vulnerability ID</th>
         <th>Severity</th>
         <th>Installed Version</th>
         <th>Fixed Version</th>
+        <th>Package Path</th>
         <th>Links</th>
       </tr>
         {{- range .Vulnerabilities }}
@@ -104,6 +110,7 @@
         <td class="severity">{{ escapeXML .Vulnerability.Severity }}</td>
         <td class="pkg-version">{{ escapeXML .InstalledVersion }}</td>
         <td>{{ escapeXML .FixedVersion }}</td>
+        <td class="pkg-path">{{ escapeXML .PkgPath }}</td>
         <td class="links" data-more-links="off">
           {{- range .Vulnerability.References }}
           <a href={{ escapeXML . | printf "%q" }}>{{ escapeXML . }}</a>
@@ -113,7 +120,7 @@
         {{- end }}
       {{- end }}
       {{- if (eq (len .Misconfigurations ) 0) }}
-      <tr><th colspan="6">No Misconfigurations found</th></tr>
+      <tr><th colspan="7">No Misconfigurations found</th></tr>
       {{- else }}
       <tr class="sub-header">
         <th>Type</th>
@@ -137,6 +144,28 @@
       </tr>
         {{- end }}
       {{- end }}
+      {{- if (eq (len .Secrets ) 0) }}
+      <tr><th colspan="6">No Secrets found</th></tr>
+      {{- else }}
+      <tr class="sub-header">
+        <th>Category</th>
+        <th>Rule ID</th>
+        <th>Check</th>
+        <th>Severity</th>
+        <th>Match</th>
+      </tr>
+        {{- range .Secrets }}
+      <tr class="severity-{{ escapeXML .Severity }}">
+        <td class="secrets-category">{{ .Category }}</td>
+        <td>{{ escapeXML .RuleID }}</td>
+        <td class="secrets-check">{{ escapeXML .Title }}</td>
+        <td class="severity">{{ escapeXML .Severity }}</td>
+        <td style="overflow-wrap: anywhere; white-space:normal;">
+          {{ escapeXML .Match }}
+        </td>
+      </tr>
+        {{- end }}
+      {{- end }}
     {{- end }}
     </table>
 {{- else }}

diff --git a/contrib/junit.tpl b/contrib/junit.tpl
@@ -2,15 +2,19 @@
 <testsuites name="trivy">
 {{- range . -}}
 {{- $failures := len .Vulnerabilities }}
-    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{ .Target }}" errors="0" skipped="0" time="">
     {{- if not (eq .Type "") }}
         <properties>
             <property name="type" value="{{ .Type }}"></property>
         </properties>
         {{- end -}}
         {{ range .Vulnerabilities }}
-        <testcase classname="{{ .PkgName }}-{{ .InstalledVersion }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
-            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Description }}</failure>
+        <testcase classname="{{ .PkgName | replace "/" "." }}-{{ .InstalledVersion }}" file="{{ .PkgName }}" name="[{{ .Vulnerability.Severity }}] {{ .VulnerabilityID }}" time="">
+          <failure message="{{ escapeXML .Title }}" type="description">
+            Severity: {{ .Severity }}
+            Package Path (if available): {{ .PkgPath }}
+            Description: {{ escapeXML .Description }}
+          </failure>
         </testcase>
     {{- end }}
     </testsuite>
@@ -44,5 +48,19 @@
     </testsuite>
 {{- end }}
 
+{{- $failures := len .Secrets }}
+    <testsuite tests="{{ $failures }}" failures="{{ $failures }}" name="{{  .Target }}" errors="0" skipped="0" time="">
+    {{- if not (eq .Type "") }}
+        <properties>
+            <property name="type" value="{{ .Type }}"></property>
+        </properties>
+        {{- end -}}
+        {{ $Path := .Target }}
+        {{ range .Secrets }}
+        <testcase file="{{ escapeXML $Path }}" classname="{{ .Category }}" name="[{{ .Severity }}] {{ .RuleID }}" time="">
+            <failure message="{{ escapeXML .Title }}" type="description">{{ escapeXML .Match }}</failure>
+        </testcase>
+    {{- end }}
+    </testsuite>
 {{- end }}
 </testsuites>
diff --git a/goreleaser-datarobot.yml b/goreleaser-datarobot.yml
@@ -0,0 +1,90 @@
+project_name: trivy
+builds:
+  - id: build-linux
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+    goarch:
+      - 386
+      - arm
+      - amd64
+      - arm64
+    goarm:
+      - 7
+  - id: build-macos
+    main: cmd/trivy/main.go
+    binary: trivy
+    ldflags:
+      - -s -w
+      - "-extldflags '-static'"
+      - -X github.com/aquasecurity/trivy/pkg/version.ver={{.Version}}
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    goarm:
+      - 7
+
+dockers:
+  - image_templates:
+      - "docker.io/datarobotdev/trivy:{{ .Version }}-amd64"
+      - "docker.io/datarobotdev/trivy:latest-amd64"
+    use: buildx
+    goos: linux
+    goarch: amd64
+    ids:
+      - build-linux
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--platform=linux/amd64"
+    extra_files:
+    - contrib/
+  - image_templates:
+      - "docker.io/datarobotdev/trivy:{{ .Version }}-arm64"
+      - "docker.io/datarobotdev/trivy:latest-arm64"
+    use: buildx
+    goos: linux
+    goarch: arm64
+    ids:
+      - build-linux
+    build_flag_templates:
+      - "--label=org.opencontainers.image.title={{ .ProjectName }}"
+      - "--label=org.opencontainers.image.description=A Fast Vulnerability Scanner for Containers"
+      - "--label=org.opencontainers.image.vendor=Aqua Security"
+      - "--label=org.opencontainers.image.version={{ .Version }}"
+      - "--label=org.opencontainers.image.created={{ .Date }}"
+      - "--label=org.opencontainers.image.source=https://github.com/aquasecurity/trivy"
+      - "--label=org.opencontainers.image.revision={{ .FullCommit }}"
+      - "--label=org.opencontainers.image.url=https://www.aquasec.com/products/trivy/"
+      - "--label=org.opencontainers.image.documentation=https://aquasecurity.github.io/trivy/v{{ .Version }}/"
+      - "--platform=linux/arm64"
+    extra_files:
+    - contrib/
+
+docker_manifests:
+  - name_template: 'datarobotdev/trivy:{{ .Version }}'
+    image_templates:
+    - 'datarobotdev/trivy:{{ .Version }}-amd64'
+    - 'datarobotdev/trivy:{{ .Version }}-arm64'
+  - name_template: 'datarobotdev/trivy:latest'
+    image_templates:
+    - 'datarobotdev/trivy:{{ .Version }}-amd64'
+    - 'datarobotdev/trivy:{{ .Version }}-arm64'
diff --git a/pkg/flag/report_flags.go b/pkg/flag/report_flags.go
@@ -68,7 +68,7 @@ var (
 	IgnorePolicyFlag = Flag[string]{
 		Name:       "ignore-policy",
 		ConfigName: "ignore-policy",
-		Usage:      "specify the Rego file path to evaluate each vulnerability",
+		Usage:      "specify the Rego file path (or dir path with Rego files) to evaluate each vulnerability",
 	}
 	ExitCodeFlag = Flag[int]{
 		Name:       "exit-code",

diff --git a/pkg/result/filter.go b/pkg/result/filter.go
@@ -3,16 +3,19 @@ package result
 import (
 	"context"
 	"fmt"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"slices"
 	"sort"
 
+	"github.com/open-policy-agent/opa/bundle"
 	"github.com/open-policy-agent/opa/rego"
 	"github.com/samber/lo"
 	"golang.org/x/xerrors"
 
 	dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
+	"github.com/aquasecurity/trivy/pkg/log"
 	"github.com/aquasecurity/trivy/pkg/types"
 	"github.com/aquasecurity/trivy/pkg/vex"
 )
@@ -70,8 +73,19 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	filterLicenses(result, severities, opt.IgnoreLicenses, ignoreConf)
 
 	if opt.PolicyFile != "" {
-		if err := applyPolicy(ctx, result, opt.PolicyFile); err != nil {
-			return xerrors.Errorf("failed to apply the policy: %w", err)
+		log.Debugf("Filtering result with ignore policies, type: %s, path: %s", result.Type, result.Target)
+
+		// Get ignore policy files from the input path (either file or files in dir)
+		policyFiles, err := findPolicyFiles(opt.PolicyFile)
+		if err != nil {
+			return err
+		}
+
+		for _, policyFile := range policyFiles {
+			log.Debugf("Applying ignore policy: %s", policyFile)
+			if err := applyPolicy(ctx, result, policyFile); err != nil {
+				return xerrors.Errorf("failed to apply ignore policy %s: %w", policyFile, err)
+			}
 		}
 	}
 	sort.Sort(types.BySeverity(result.Vulnerabilities))
@@ -212,6 +226,37 @@ func summarize(status types.MisconfStatus, summary *types.MisconfSummary) {
 	}
 }
 
+func findPolicyFiles(policiesPath string) ([]string, error) {
+	var files []string
+	fi, err := os.Stat(policiesPath)
+	if err != nil {
+		return nil, xerrors.Errorf("failed to analyze ignore policy %q: %w", policiesPath, err)
+	}
+	// If the ignore policy option is a dir find and apply rego files in it
+	if fi.IsDir() {
+		err := filepath.WalkDir(policiesPath, func(path string, d fs.DirEntry, err error) error {
+			if err != nil {
+				return err
+			}
+			if !d.IsDir() && filepath.Ext(path) == bundle.RegoExt {
+				files = append(files, path)
+			}
+			return nil
+		})
+		if err != nil {
+			return nil, xerrors.Errorf("failed to find policy files in %q: %w", policiesPath, err)
+		}
+
+		if len(files) == 0 {
+			log.Warnf("No ignore policies found in %q", policiesPath)
+		}
+	} else {
+		files = append(files, policiesPath)
+	}
+
+	return files, nil
+}
+
 func applyPolicy(ctx context.Context, result *types.Result, policyFile string) error {
 	policy, err := os.ReadFile(policyFile)
 	if err != nil {