Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add failure: ignore to security scans #2078

Closed
wants to merge 1 commit into from
Closed

Add failure: ignore to security scans #2078

wants to merge 1 commit into from

Conversation

qwerty287
Copy link
Contributor

Otherwise all PRs are marked as failed on github.

@qwerty287 qwerty287 added the build CI pipeline related label Aug 1, 2023
@qwerty287 qwerty287 requested a review from a team August 1, 2023 06:51
xoxys
xoxys requested changes Aug 1, 2023
View reviewed changes
Copy link
Member

@xoxys xoxys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reported CVEs should be fixed by updating the deps or added to the trivyignore list. Just effectively bypassing the entire security scan makes it IMO useless.

@qwerty287
Copy link
Contributor Author

Of course, but especially the docs kind of fail always. It's not possible to fix vulnerabilities currently there. Thus, the pipeline fails and is reported to Github as failed, which makes the github status monitor useless.

@xoxys
Copy link
Member

xoxys commented Aug 1, 2023
edited
Loading

True, there will always be cases where the results of security scans are not accurate or can be ignored because the code base is not affected, etc. But for all these cases, we should use the methods described at https://aquasecurity.github.io/trivy/v0.43/docs/configuration/filtering/ instead of "blindly" ignoring all findings. Otherwise, we will not notice future critical vulnerabilities, and we can remove the security scan at all.

@xoxys
Copy link
Member

xoxys commented Aug 1, 2023

What is blocking dependency updates for docs? Just running pnpm update results in a heavily reduced cve list:

❯ trivy fs --exit-code 1 --skip-dirs node_modules/,plugins/woodpecker-plugins/node_modules/ docs/
2023-08-01T09:44:34.470+0200	INFO	Vulnerability scanning is enabled
2023-08-01T09:44:34.470+0200	INFO	Secret scanning is enabled
2023-08-01T09:44:34.470+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-01T09:44:34.470+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-08-01T09:44:34.528+0200	INFO	Number of language-specific files: 1
2023-08-01T09:44:34.528+0200	INFO	Detecting pnpm vulnerabilities...

pnpm-lock.yaml (pnpm)

Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 2, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ got     │ CVE-2022-33987 │ MEDIUM   │ 9.6.0             │ 11.8.5, 12.1.0 │ missing verification of requested URLs allows redirects to   │
│         │                │          │                   │                │ UNIX sockets                                                 │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-33987                   │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ trim    │ CVE-2020-7753  │ HIGH     │ 0.0.1             │ 0.0.3          │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │
│         │                │          │                   │                │ trim function                                                │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-7753                    │
├─────────┼────────────────┤          ├───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ yaml    │ CVE-2023-2251  │          │ 2.2.1             │ 2.2.2          │ Uncaught Exception in GitHub repository eemeli/yaml prior to │
│         │                │          │                   │                │ 2.0.0-5.                                                     │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2023-2251                    │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘

@qwerty287
Copy link
Contributor Author

Yes, but there are still some, right? Of course, updating is the best what you can do, but you see already some of the dependencies still have unfixed CVEs. They would fail as well.

@xoxys
Copy link
Member

xoxys commented Aug 1, 2023

I have already made a suggestion for remaining ones at #2078 (comment). Just add them to trivyignore and add a description of why they were ignored. This way, future CVEs will still result in a failed CI that can be checked by someone, while the current state will pass.

@xoxys xoxys mentioned this pull request Aug 1, 2023
Merged
xoxys added a commit that referenced this pull request Aug 1, 2023
@xoxys
Update docs deps to address cves (#2080)
e1a273d 
Related-to: #2078

Remaining CVEs:

```
❯ trivy fs --exit-code 1 --skip-dirs node_modules/,plugins/woodpecker-plugins/node_modules/ docs/
2023-08-01T10:02:36.911+0200	INFO	Vulnerability scanning is enabled
2023-08-01T10:02:36.911+0200	INFO	Secret scanning is enabled
2023-08-01T10:02:36.911+0200	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-08-01T10:02:36.911+0200	INFO	Please see also https://aquasecurity.github.io/trivy/v0.43/docs/scanner/secret/#recommendation for faster secret detection
2023-08-01T10:02:36.963+0200	INFO	Number of language-specific files: 1
2023-08-01T10:02:36.963+0200	INFO	Detecting pnpm vulnerabilities...

pnpm-lock.yaml (pnpm)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬───────────────────┬────────────────┬──────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Installed Version │ Fixed Version  │                            Title                             │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ got     │ CVE-2022-33987 │ MEDIUM   │ 9.6.0             │ 11.8.5, 12.1.0 │ missing verification of requested URLs allows redirects to   │
│         │                │          │                   │                │ UNIX sockets                                                 │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2022-33987                   │
├─────────┼────────────────┼──────────┼───────────────────┼────────────────┼──────────────────────────────────────────────────────────────┤
│ trim    │ CVE-2020-7753  │ HIGH     │ 0.0.1             │ 0.0.3          │ nodejs-trim: Regular Expression Denial of Service (ReDoS) in │
│         │                │          │                   │                │ trim function                                                │
│         │                │          │                   │                │ https://avd.aquasec.com/nvd/cve-2020-7753                    │
└─────────┴────────────────┴──────────┴───────────────────┴────────────────┴──────────────────────────────────────────────────────────────┘
```

- `trim` is pulled in by `@docusaurus/theme-classic` and can be ignored
due to
facebook/docusaurus#7275 (comment)
- `got` can be ignored as well, see `trim`
@xoxys
Copy link
Member

xoxys commented Aug 1, 2023

@qwerty287 I think we can close this one?

@qwerty287 qwerty287 closed this Aug 1, 2023
@qwerty287 qwerty287 deleted the qwerty287-patch-1 branch August 1, 2023 15:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xoxys xoxys xoxys requested changes

Assignees
No one assigned
Labels
build CI pipeline related
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@qwerty287 @xoxys