#892: Filtered out Linux Kernel related CVE's (#420)

related to exasol/script-languages-release#892 also removed old (outdated) CVE's from ignore list
exasol · Jun 3, 2024 · 63c1418 · 63c1418
1 parent 6cb3231
commit 63c1418
Show file tree

Hide file tree

Showing 10 changed files with 37 additions and 132 deletions.
diff --git a/ext/scripts/security_scan/run_trivy.sh b/ext/scripts/security_scan/run_trivy.sh
@@ -9,8 +9,8 @@ fi
 
 output_path=$1
 
-trivy rootfs --no-progress --offline-scan --format json --output "$output_path/trivy_report.json" / > /dev/null
+trivy rootfs --no-progress --offline-scan --format json --ignore-policy /trivy.rego --output "$output_path/trivy_report.json" / > /dev/null
 #run with format table and print to stdout
-trivy rootfs --no-progress --offline-scan --format table --output "$output_path/trivy_report.txt" / > /dev/null
+trivy rootfs --no-progress --offline-scan --format table --ignore-policy /trivy.rego --output "$output_path/trivy_report.txt" / > /dev/null
 #Force script to return with error if a high or critical issue is found
-trivy rootfs --no-progress --offline-scan --severity "HIGH,CRITICAL" --exit-code 1 /
+trivy rootfs --no-progress --offline-scan --ignore-policy /trivy.rego --show-suppressed --severity "HIGH,CRITICAL" --exit-code 1 /
diff --git a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/.trivyignore b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/.trivyignore
@@ -1,41 +0,0 @@
-#bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
-#The following CVEs affect kernel, no issue for container
-CVE-2022-0847
-CVE-2022-0001
-CVE-2022-0002
-CVE-2022-1015
-CVE-2022-23960
-CVE-2022-25636
-CVE-2022-43945
-CVE-2023-3611
-CVE-2023-3776
-CVE-2023-3609
-CVE-2023-4622
-CVE-2023-4623
-CVE-2023-4921
-CVE-2024-26583
-CVE-2024-26828
-CVE-2024-26865
-CVE-2024-26585
-CVE-2023-52433
-CVE-2024-26642
-CVE-2024-26643
-CVE-2024-26800
-CVE-2024-26921
-CVE-2024-26923
-CVE-2024-26924
-CVE-2024-26925
-CVE-2024-27397
-# CVE-2023-20569 does not have a fix and is a problem of host system (amd cpus)
-CVE-2023-20569 
-#CVE-2022-23648 is a bug in containerd, not issue for containers
-CVE-2022-23648
-#issue in cgroups, but no threat for ScriptLanguageContainer
-CVE-2022-0492
-# CVE-2022-27191 is an issue in Go. Which will be installed only together with Trivy.
-CVE-2022-27191
-# CVE-2022-23960 affects only ARM architectures
-CVE-2022-23960
-# We ignore CVE-2023-38325, because cryptography 41.0.3 is currently not available on conda, https://github.com/conda-forge/cryptography-feedstock/issues/122
-CVE-2023-38325

diff --git a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/Dockerfile b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/Dockerfile
@@ -10,5 +10,6 @@ RUN /scripts/install_scripts/install_via_apt.pl --file /build_info/packages/secu
 
 ENV SECURITY_SCANNERS="trivy"
 COPY /security_scan/.trivyignore /.trivyignore
+COPY /security_scan/trivy.rego /trivy.rego
 
 ENTRYPOINT ["/scripts/security_scan/run.sh"]
diff --git a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/trivy.rego b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/trivy.rego
@@ -0,0 +1,10 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+ignore {
+        input.PkgName == "linux-libc-dev"
+        regex.match("^kernel:", input.Title)
+}
diff --git a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/.trivyignore b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/.trivyignore
@@ -1,41 +1 @@
-#bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680)
-CVE-2021-43816
-#The following CVEs affect kernel, no issue for container
-CVE-2022-0847
-CVE-2022-0001
-CVE-2022-0002
-CVE-2022-1015
-CVE-2022-23960
-CVE-2022-25636
-CVE-2022-43945
-CVE-2023-3611
-CVE-2023-3776
-CVE-2023-3609
-CVE-2023-4622
-CVE-2023-4623
-CVE-2023-4921
-CVE-2024-26583
-CVE-2024-26828
-CVE-2024-26865
-CVE-2024-26585
-CVE-2023-52433
-CVE-2024-26642
-CVE-2024-26643
-CVE-2024-26800
-CVE-2024-26921
-CVE-2024-26923
-CVE-2024-26924
-CVE-2024-26925
-CVE-2024-27397
-# CVE-2023-20569 does not have a fix and is a problem of host system (amd cpus)
-CVE-2023-20569 
-#CVE-2022-23648 is a bug in containerd, not issue for containers
-CVE-2022-23648
-#issue in cgroups, but no threat for ScriptLanguageContainer
-CVE-2022-0492
-# CVE-2022-27191 is an issue in Go. Which will be installed only together with Trivy.
-CVE-2022-27191
-# CVE-2022-23960 affects only ARM architectures
-CVE-2022-23960
-# We ignore CVE-2023-38325, because cryptography 41.0.3 is currently not available on conda, https://github.com/conda-forge/cryptography-feedstock/issues/122
-CVE-2023-38325
+
diff --git a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/Dockerfile b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/Dockerfile
@@ -10,5 +10,6 @@ RUN /scripts/install_scripts/install_via_apt.pl --file /build_info/packages/secu
 
 ENV SECURITY_SCANNERS="trivy"
 COPY /security_scan/.trivyignore /.trivyignore
+COPY /security_scan/trivy.rego /trivy.rego
 
 ENTRYPOINT ["/scripts/security_scan/run.sh"]
diff --git a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/trivy.rego b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/trivy.rego
@@ -0,0 +1,10 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+ignore {
+        input.PkgName == "linux-libc-dev"
+        regex.match("^kernel:", input.Title)
+}
diff --git a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/.trivyignore b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/.trivyignore
@@ -1,47 +0,0 @@
-#the following CVE's affect kernel, no issue for container
-CVE-2022-0847
-CVE-2022-0001
-CVE-2022-0002
-CVE-2022-1015
-CVE-2022-23960
-CVE-2022-25636
-CVE-2022-1116
-CVE-2022-29581
-CVE-2022-21499
-CVE-2022-43945
-CVE-2023-3090
-CVE-2023-3389
-CVE-2023-3390 
-CVE-2023-3611
-CVE-2023-3776
-CVE-2023-3609
-CVE-2023-4622
-CVE-2023-4623
-CVE-2023-4921
-CVE-2023-6176
-CVE-2024-0646
-CVE-2024-1085
-CVE-2024-1086
-CVE-2024-26597
-CVE-2024-26828
-CVE-2024-26865
-CVE-2024-26585
-CVE-2023-52433
-CVE-2024-26642
-CVE-2024-26643
-CVE-2024-26800
-CVE-2024-26921
-CVE-2024-26923
-CVE-2024-26924
-CVE-2024-26925
-CVE-2024-27397
-# CVE-2023-20569 does not have a fix and is a problem of host system (amd cpus)
-CVE-2023-20569 
-#CVE-2022-23648 is a bug in containerd, not issue for containers
-CVE-2022-23648
-#issue in cgroups, but no threat for ScriptLanguageContainer
-CVE-2022-0492
-# CVE-2022-27191 is an issue in Go. Which will be installed only together with Trivy.
-CVE-2022-27191
-# CVE-2022-23960 affects only ARM architectures
-CVE-2022-23960

diff --git a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/Dockerfile b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/Dockerfile
@@ -10,5 +10,6 @@ RUN /scripts/install_scripts/install_via_apt.pl --file /build_info/packages/secu
 
 ENV SECURITY_SCANNERS="trivy"
 COPY /security_scan/.trivyignore /.trivyignore
+COPY /security_scan/trivy.rego /trivy.rego
 
 ENTRYPOINT ["/scripts/security_scan/run.sh"]
diff --git a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/trivy.rego b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/trivy.rego
@@ -0,0 +1,10 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore = false
+
+ignore {
+        input.PkgName == "linux-libc-dev"
+        regex.match("^kernel:", input.Title)
+}