Skip to content

Commit

Permalink
feat: scanning filter by vuln-type (#1184)
Browse files Browse the repository at this point in the history 
* feat: scanning filter by vuln-type

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: scanning filter by vuln-type

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: scanning filter by vuln-type

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: scanning filter by vuln-type

Signed-off-by: chenk <hen.keinan@gmail.com>

* feat: scanning filter by vuln-type

Signed-off-by: chenk <hen.keinan@gmail.com>

---------

Signed-off-by: chenk <hen.keinan@gmail.com>
  • Loading branch information
@chen-keinan
chen-keinan committed Apr 27, 2023
1 parent 773f8e3 commit b5d5905
Show file tree
Hide file tree
Showing 6 changed files with 100 additions and 2 deletions.
2 changes: 2 additions & 0 deletions deploy/helm/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,8 @@ The values of the `OPERATOR_NAMESPACE` and `OPERATOR_TARGET_NAMESPACES` determin
| `trivy.offlineScan` | N/A | Whether to enable the offline scan mode of Trivy preventing outgoing calls, e.g. to <search.maven.org> for additional vulnerability information. Set to `"true"` to enable it. |
| `trivy.skipFiles` | N/A | A comma separated list of file paths for Trivy to skip traversal. |
| `trivy.skipDirs` | N/A | A comma separated list of directories for Trivy to skip traversal. |

| `trivy.vulnType` | ``| this flag can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) |
| `trivy.ignoreFile` | N/A | It specifies the `.trivyignore` file which contains a list of vulnerability IDs to be ignored from vulnerabilities reported by Trivy. |
| `trivy.ignorePolicy` | N/A | It specifies a fallback [policy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/#by-open-policy-agent) file which allows to customize which vulnerabilities are reported by Trivy. |
| `trivy.ignorePolicy.{ns}` | N/A | It specifies a namespace specific [policy](https://aquasecurity.github.io/trivy/latest/docs/vulnerability/examples/filter/#by-open-policy-agent) file which allows to customize which vulnerabilities are reported by Trivy. |
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,9 @@ data:
{{- if .Values.trivy.skipDirs }}
trivy.skipDirs: {{ .Values.trivy.skipDirs | quote }}
{{- end }}
{{- if .Values.trivy.vulnType }}
trivy.vulnType: {{ .Values.trivy.vulnType | quote }}
{{- end }}
{{- if .Values.trivy.dbRepositoryInsecure }}
trivy.dbRepositoryInsecure: {{ .Values.trivy.dbRepositoryInsecure | quote }}
{{- end }}
Expand Down
3 changes: 3 additions & 0 deletions deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,9 @@ trivy:
# ignorePolicy: |
# # applies to all other workloads

# vulnType can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os)
# vulnType:

# resources resource requests and limits
resources:
requests:
Expand Down
2 changes: 2 additions & 0 deletions docs/docs/vulnerability-scanning/trivy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ EOF
| `trivy.command` | `image` | command. One of `image`, `filesystem` or `rootfs` scanning. Depending on the target type required for the scan. |
| `trivy.slow` | `true` | this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint |
| `trivy.severity` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy |

| `trivy.vulnType` | ``| this flag can be used to tell Trivy to filter vulnerabilities by a pkg-type (library, os) |
| `trivy.ignoreUnfixed` | N/A | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. |
| `trivy.offlineScan` | N/A | Whether to enable the offline scan mode of Trivy preventing outgoing calls, e.g. to <search.maven.org> for additional vulnerability information. Set to `"true"` to enable it. |
| `trivy.skipFiles` | N/A | A comma separated list of file paths for Trivy to skip traversal. |
Expand Down
40 changes: 38 additions & 2 deletions pkg/plugins/trivy/plugin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ const (
keyTrivyCommand = "trivy.command"
KeyTrivySeverity = "trivy.severity"
keyTrivySlow = "trivy.slow"
keyTrivyVulnType = "trivy.vulnType"
keyTrivyIgnoreUnfixed = "trivy.ignoreUnfixed"
keyTrivyOfflineScan = "trivy.offlineScan"
keyTrivyTimeout = "trivy.timeout"
Expand Down Expand Up @@ -270,6 +271,18 @@ func (c Config) GetSlow() bool {
return boolVal
}

func (c Config) GetVulnType() string {
val, ok := c.Data[keyTrivyVulnType]
if !ok {
return ""
}
trimmedVulnType := strings.TrimSpace(val)
if !(trimmedVulnType == "os" || trimmedVulnType == "library") {
return ""
}
return trimmedVulnType
}

func (c Config) GetSupportedConfigAuditKinds() []string {
val, ok := c.Data[keyTrivySupportedConfigAuditKinds]
if !ok {
Expand Down Expand Up @@ -1026,7 +1039,12 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
return []string{}, []string{}
}
slow := Slow(c)
vulnTypeArgs := p.vulnTypeFilter(ctx)
scanners := Scanners(c)
var vulnTypeFlag string
if len(vulnTypeArgs) == 2 {
vulnTypeFlag = fmt.Sprintf("%s %s ", vulnTypeArgs[0], vulnTypeArgs[1])
}
if mode == ClientServer {
if !compressLogs {
args := []string{
Expand All @@ -1045,9 +1063,12 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
if len(slow) > 0 {
args = append(args, slow)
}
if len(vulnTypeArgs) > 0 {
args = append(args, vulnTypeArgs...)
}
return command, args
}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s --cache-dir /tmp/trivy/.cache --quiet --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), trivyServerURL, resultFileName, resultFileName)}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s--cache-dir /tmp/trivy/.cache --quiet --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), vulnTypeFlag, trivyServerURL, resultFileName, resultFileName)}
}
skipUpdate := SkipDBUpdate(c)
if !compressLogs {
Expand All @@ -1066,9 +1087,24 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
if len(slow) > 0 {
args = append(args, slow)
}
if len(vulnTypeArgs) > 0 {
args = append(args, vulnTypeArgs...)
}
return command, args
}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), skipUpdate, resultFileName, resultFileName)}
return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s--cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), vulnTypeFlag, skipUpdate, resultFileName, resultFileName)}
}

func (p *plugin) vulnTypeFilter(ctx trivyoperator.PluginContext) []string {
config, err := p.newConfigFrom(ctx)
if err != nil {
return []string{}
}
vulnType := config.GetVulnType()
if len(vulnType) == 0 {
return []string{}
}
return []string{"--vuln-type", vulnType}
}

func getAutomountServiceAccountToken(ctx trivyoperator.PluginContext) bool {
Expand Down
52 changes: 52 additions & 0 deletions pkg/plugins/trivy/plugin_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,58 @@ func TestConfig_GetCommand(t *testing.T) {
}
}

func TestVulnType(t *testing.T) {
testCases := []struct {
name string
configData trivy.Config
want string
}{
{
name: "valid vuln type os",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.vulnType": "os",
},
}},
want: "os",
},
{
name: "valid vuln type library",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.vulnType": "library",
},
}},
want: "library",
},
{
name: "empty vuln type",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.vulnType": "",
},
}},
want: "",
},
{
name: "non valid vuln type",
configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
Data: map[string]string{
"trivy.vulnType": "aaa",
},
}},
want: "",
},
}
for _, tc := range testCases {
t.Run(tc.name, func(t *testing.T) {
got := tc.configData.GetVulnType()
assert.Equal(t, got, tc.want)

})
}
}

func TestConfig_GetResourceRequirements(t *testing.T) {
testCases := []struct {
name string
Expand Down

0 comments on commit b5d5905

Please sign in to comment.