Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New xray_ignore_rule resources or changes to existing ones should take effect immediately #165

Open
rorynickolls-skyral opened this issue Mar 7, 2024 · 4 comments
Assignees
Labels
enhancement New feature or request on hold Not decided whether we're doing it or not

Comments

@rorynickolls-skyral
Copy link

Is your feature request related to a problem? Please describe.

When creating or updating xray_ignore_rule Terraform resources, it does not appear to take effect immediately. Policy violations do not start showing as 'Ignored' in the Xray scans list until a scan is triggered manually through the UI.

Describe the solution you'd like

Having a manual step after creating rules defeats the purpose of managing them through Terraform - it would be ideal if changes to the Terraform-managed ignore rule took effect immediately without any intervention.

Describe alternatives you've considered

Alternatives are:

  • Continue manually triggering rescans.
  • Automatically trigger a rescan outside of the Terraform provider e.g. in our own CI pipeline.

Neither of which are great solutions!

Additional context

When creating a rule through the Artifactory UI, it appears to take effect immediately without triggering a scan. It is unclear how it does this, and whether there's an API request that can be made from the provider to make it happen.

@alexhung alexhung added the enhancement New feature or request label Mar 7, 2024
@alexhung
Copy link
Member

alexhung commented Mar 7, 2024

@rorynickolls-skyral Thanks for the suggestion. I've added this to our road map.

@yahesh
Copy link

yahesh commented Jul 22, 2024

@alexhung We ran into the same issue just recently. Are there any news on when this will be fixed?

@alexhung
Copy link
Member

@yahesh Unfortunately, no update so far. The REST APIs to initiate a scan are designed for specific artifact, build, etc., and does not necessary match the criteria in ignore rules. I haven't been able to come up with a good way to reconcile these differences yet.

Two alternatives:

  • Use the private web UI API, which may or may not be possible.
  • Make feature request to the Xray team to expose new public API for this purpose.

@alexhung alexhung added the on hold Not decided whether we're doing it or not label Sep 17, 2024
@sgsollie
Copy link

Hey just adding my personal experiences here.
I've ran into this issue but also experienced some other, & from a user perspective slightly bizarre behaviour which I think is related.
We have policy to block downloads of all artefacts with critical vulnerabilities.

  1. Add ignore rule with terraform
  2. Find that the artifact with a critical vuln is still blocked & (policy violation) - with no ignore rule associated with it.
  3. Add a new ignore rule for that vulnerability in the UI (click on the violation > "Ignore Violation")
  4. Immediately delete that ignore rule in the UI
  5. Find that the policy violation still says "Ignored" BUT the associated ignore rule is now the terraform created rule!

I've been able to re-produce this pretty consistently

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request on hold Not decided whether we're doing it or not
Projects
None yet
Development

No branches or pull requests

4 participants