diff --git a/ext/scripts/security_scan/run_trivy.sh b/ext/scripts/security_scan/run_trivy.sh index b9a0fed11..8dec5ac3e 100755 --- a/ext/scripts/security_scan/run_trivy.sh +++ b/ext/scripts/security_scan/run_trivy.sh @@ -9,8 +9,8 @@ fi output_path=$1 -trivy rootfs --no-progress --offline-scan --format json --output "$output_path/trivy_report.json" / > /dev/null +trivy rootfs --no-progress --offline-scan --format json --ignore-policy /trivy.rego --output "$output_path/trivy_report.json" / > /dev/null #run with format table and print to stdout -trivy rootfs --no-progress --offline-scan --format table --output "$output_path/trivy_report.txt" / > /dev/null +trivy rootfs --no-progress --offline-scan --format table --ignore-policy /trivy.rego --output "$output_path/trivy_report.txt" / > /dev/null #Force script to return with error if a high or critical issue is found -trivy rootfs --no-progress --offline-scan --severity "HIGH,CRITICAL" --exit-code 1 / \ No newline at end of file +trivy rootfs --no-progress --offline-scan --ignore-policy /trivy.rego --show-suppressed --severity "HIGH,CRITICAL" --exit-code 1 / \ No newline at end of file diff --git a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/.trivyignore b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/.trivyignore index afb8c8b35..e69de29bb 100644 --- a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/.trivyignore +++ b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/.trivyignore @@ -1,41 +0,0 @@ -#bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680) -CVE-2021-43816 -#The following CVEs affect kernel, no issue for container -CVE-2022-0847 -CVE-2022-0001 -CVE-2022-0002 -CVE-2022-1015 -CVE-2022-23960 -CVE-2022-25636 -CVE-2022-43945 -CVE-2023-3611 -CVE-2023-3776 -CVE-2023-3609 -CVE-2023-4622 -CVE-2023-4623 -CVE-2023-4921 -CVE-2024-26583 -CVE-2024-26828 -CVE-2024-26865 -CVE-2024-26585 -CVE-2023-52433 -CVE-2024-26642 -CVE-2024-26643 -CVE-2024-26800 -CVE-2024-26921 -CVE-2024-26923 -CVE-2024-26924 -CVE-2024-26925 -CVE-2024-27397 -# CVE-2023-20569 does not have a fix and is a problem of host system (amd cpus) -CVE-2023-20569 -#CVE-2022-23648 is a bug in containerd, not issue for containers -CVE-2022-23648 -#issue in cgroups, but no threat for ScriptLanguageContainer -CVE-2022-0492 -# CVE-2022-27191 is an issue in Go. Which will be installed only together with Trivy. -CVE-2022-27191 -# CVE-2022-23960 affects only ARM architectures -CVE-2022-23960 -# We ignore CVE-2023-38325, because cryptography 41.0.3 is currently not available on conda, https://github.com/conda-forge/cryptography-feedstock/issues/122 -CVE-2023-38325 diff --git a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/Dockerfile b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/Dockerfile index 15291fc84..7c53896aa 100644 --- a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/Dockerfile +++ b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/Dockerfile @@ -10,5 +10,6 @@ RUN /scripts/install_scripts/install_via_apt.pl --file /build_info/packages/secu ENV SECURITY_SCANNERS="trivy" COPY /security_scan/.trivyignore /.trivyignore +COPY /security_scan/trivy.rego /trivy.rego ENTRYPOINT ["/scripts/security_scan/run.sh"] \ No newline at end of file diff --git a/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/trivy.rego b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/trivy.rego new file mode 100644 index 000000000..fc807388d --- /dev/null +++ b/flavors/template-Exasol-all-python-3.10-conda/flavor_base/security_scan/trivy.rego @@ -0,0 +1,10 @@ +package trivy + +import data.lib.trivy + +default ignore = false + +ignore { + input.PkgName == "linux-libc-dev" + regex.match("^kernel:", input.Title) +} \ No newline at end of file diff --git a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/.trivyignore b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/.trivyignore index afb8c8b35..8b1378917 100644 --- a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/.trivyignore +++ b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/.trivyignore @@ -1,41 +1 @@ -#bug in trivy, no idea when a new debian package will be released (https://github.com/aquasecurity/trivy/issues/1680) -CVE-2021-43816 -#The following CVEs affect kernel, no issue for container -CVE-2022-0847 -CVE-2022-0001 -CVE-2022-0002 -CVE-2022-1015 -CVE-2022-23960 -CVE-2022-25636 -CVE-2022-43945 -CVE-2023-3611 -CVE-2023-3776 -CVE-2023-3609 -CVE-2023-4622 -CVE-2023-4623 -CVE-2023-4921 -CVE-2024-26583 -CVE-2024-26828 -CVE-2024-26865 -CVE-2024-26585 -CVE-2023-52433 -CVE-2024-26642 -CVE-2024-26643 -CVE-2024-26800 -CVE-2024-26921 -CVE-2024-26923 -CVE-2024-26924 -CVE-2024-26925 -CVE-2024-27397 -# CVE-2023-20569 does not have a fix and is a problem of host system (amd cpus) -CVE-2023-20569 -#CVE-2022-23648 is a bug in containerd, not issue for containers -CVE-2022-23648 -#issue in cgroups, but no threat for ScriptLanguageContainer -CVE-2022-0492 -# CVE-2022-27191 is an issue in Go. Which will be installed only together with Trivy. -CVE-2022-27191 -# CVE-2022-23960 affects only ARM architectures -CVE-2022-23960 -# We ignore CVE-2023-38325, because cryptography 41.0.3 is currently not available on conda, https://github.com/conda-forge/cryptography-feedstock/issues/122 -CVE-2023-38325 + diff --git a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/Dockerfile b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/Dockerfile index 15291fc84..7c53896aa 100644 --- a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/Dockerfile +++ b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/Dockerfile @@ -10,5 +10,6 @@ RUN /scripts/install_scripts/install_via_apt.pl --file /build_info/packages/secu ENV SECURITY_SCANNERS="trivy" COPY /security_scan/.trivyignore /.trivyignore +COPY /security_scan/trivy.rego /trivy.rego ENTRYPOINT ["/scripts/security_scan/run.sh"] \ No newline at end of file diff --git a/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/trivy.rego b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/trivy.rego new file mode 100644 index 000000000..fc807388d --- /dev/null +++ b/flavors/template-Exasol-all-python-3.10-cuda-conda/flavor_base/security_scan/trivy.rego @@ -0,0 +1,10 @@ +package trivy + +import data.lib.trivy + +default ignore = false + +ignore { + input.PkgName == "linux-libc-dev" + regex.match("^kernel:", input.Title) +} \ No newline at end of file diff --git a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/.trivyignore b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/.trivyignore index 931d12e19..e69de29bb 100644 --- a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/.trivyignore +++ b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/.trivyignore @@ -1,47 +0,0 @@ -#the following CVE's affect kernel, no issue for container -CVE-2022-0847 -CVE-2022-0001 -CVE-2022-0002 -CVE-2022-1015 -CVE-2022-23960 -CVE-2022-25636 -CVE-2022-1116 -CVE-2022-29581 -CVE-2022-21499 -CVE-2022-43945 -CVE-2023-3090 -CVE-2023-3389 -CVE-2023-3390 -CVE-2023-3611 -CVE-2023-3776 -CVE-2023-3609 -CVE-2023-4622 -CVE-2023-4623 -CVE-2023-4921 -CVE-2023-6176 -CVE-2024-0646 -CVE-2024-1085 -CVE-2024-1086 -CVE-2024-26597 -CVE-2024-26828 -CVE-2024-26865 -CVE-2024-26585 -CVE-2023-52433 -CVE-2024-26642 -CVE-2024-26643 -CVE-2024-26800 -CVE-2024-26921 -CVE-2024-26923 -CVE-2024-26924 -CVE-2024-26925 -CVE-2024-27397 -# CVE-2023-20569 does not have a fix and is a problem of host system (amd cpus) -CVE-2023-20569 -#CVE-2022-23648 is a bug in containerd, not issue for containers -CVE-2022-23648 -#issue in cgroups, but no threat for ScriptLanguageContainer -CVE-2022-0492 -# CVE-2022-27191 is an issue in Go. Which will be installed only together with Trivy. -CVE-2022-27191 -# CVE-2022-23960 affects only ARM architectures -CVE-2022-23960 diff --git a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/Dockerfile b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/Dockerfile index 15291fc84..7c53896aa 100644 --- a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/Dockerfile +++ b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/Dockerfile @@ -10,5 +10,6 @@ RUN /scripts/install_scripts/install_via_apt.pl --file /build_info/packages/secu ENV SECURITY_SCANNERS="trivy" COPY /security_scan/.trivyignore /.trivyignore +COPY /security_scan/trivy.rego /trivy.rego ENTRYPOINT ["/scripts/security_scan/run.sh"] \ No newline at end of file diff --git a/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/trivy.rego b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/trivy.rego new file mode 100644 index 000000000..fc807388d --- /dev/null +++ b/flavors/template-Exasol-all-python-3.10/flavor_base/security_scan/trivy.rego @@ -0,0 +1,10 @@ +package trivy + +import data.lib.trivy + +default ignore = false + +ignore { + input.PkgName == "linux-libc-dev" + regex.match("^kernel:", input.Title) +} \ No newline at end of file