From 0fa7eea6633d23695a1bdb7609a0150a118c90c7 Mon Sep 17 00:00:00 2001 From: Fabian Widmann Date: Fri, 23 Jul 2021 09:09:52 +0200 Subject: [PATCH 1/6] feat(cve): add option to ignore unfixable issues --- container-scan.gitlab-ci.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml index d3274f5..5c2830f 100644 --- a/container-scan.gitlab-ci.yml +++ b/container-scan.gitlab-ci.yml @@ -28,14 +28,21 @@ PROJECT_DIR: $CI_PROJECT_DIR DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile CONTEXT_LOCATION: $CI_PROJECT_DIR + IGNORE_UNFIXABLE: "true" EXITCODE: 1 before_script: - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz script: - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image --skip-tls-verify - - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar - - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar + - > + if [ $IGNORE_UNFIXED = "true" ] ; then + ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar + ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar + else + ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar + ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar + fi cache: paths: From 027186fdc1680e2bc87cfda6ceb6b1020ee13012 Mon Sep 17 00:00:00 2001 From: Fabian Widmann Date: Fri, 23 Jul 2021 09:17:36 +0200 Subject: [PATCH 2/6] feat(cve): fix script --- container-scan.gitlab-ci.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml index 5c2830f..1f92727 100644 --- a/container-scan.gitlab-ci.yml +++ b/container-scan.gitlab-ci.yml @@ -35,11 +35,13 @@ - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz script: - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image --skip-tls-verify - - > + - | if [ $IGNORE_UNFIXED = "true" ] ; then + echo "detect issues, ignore unfixed issues"; ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar else + echo "detect all issues"; ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar fi From 7c58ee80be3fbd7ceb86ff6378037c9797144a19 Mon Sep 17 00:00:00 2001 From: Fabian Widmann Date: Fri, 23 Jul 2021 09:37:52 +0200 Subject: [PATCH 3/6] feat(cve): try to fix unknown operand --- container-scan.gitlab-ci.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml index 1f92727..dd92554 100644 --- a/container-scan.gitlab-ci.yml +++ b/container-scan.gitlab-ci.yml @@ -35,8 +35,9 @@ - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz script: - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image --skip-tls-verify + - echo $IGNORE_UNFIXABLE - | - if [ $IGNORE_UNFIXED = "true" ] ; then + if [[ $IGNORE_UNFIXED = "true" ]] ; then echo "detect issues, ignore unfixed issues"; ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar From e0dbec82a96be1a62e66cc33652eb1cfd066d796 Mon Sep 17 00:00:00 2001 From: Fabian Widmann Date: Fri, 23 Jul 2021 09:55:15 +0200 Subject: [PATCH 4/6] feat(cve): try to fix unknown operand --- container-scan.gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml index dd92554..d58a9fc 100644 --- a/container-scan.gitlab-ci.yml +++ b/container-scan.gitlab-ci.yml @@ -37,7 +37,7 @@ - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image --skip-tls-verify - echo $IGNORE_UNFIXABLE - | - if [[ $IGNORE_UNFIXED = "true" ]] ; then + if [[ $IGNORE_UNFIXED == "true" ]] ; then echo "detect issues, ignore unfixed issues"; ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar From 12ff4bcfd0081f8e696ae7448f8421e2156b74d4 Mon Sep 17 00:00:00 2001 From: Fabian Widmann Date: Fri, 23 Jul 2021 13:50:55 +0200 Subject: [PATCH 5/6] feat(cve): by default mute errors we cannot fix --- container-scan.gitlab-ci.yml | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml index d58a9fc..9eb533e 100644 --- a/container-scan.gitlab-ci.yml +++ b/container-scan.gitlab-ci.yml @@ -10,7 +10,7 @@ script: - mvn $MAVEN_CLI_OPTS compile jib:buildTar -DskipTests - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input target/jib-image.tar - - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE_ON_HIGH --severity HIGH,CRITICAL --no-progress --auto-refresh --input target/jib-image.tar + - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input target/jib-image.tar cache: paths: - .trivycache/ @@ -28,24 +28,14 @@ PROJECT_DIR: $CI_PROJECT_DIR DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile CONTEXT_LOCATION: $CI_PROJECT_DIR - IGNORE_UNFIXABLE: "true" EXITCODE: 1 before_script: - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz script: - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image --skip-tls-verify - - echo $IGNORE_UNFIXABLE - - | - if [[ $IGNORE_UNFIXED == "true" ]] ; then - echo "detect issues, ignore unfixed issues"; - ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar - ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar - else - echo "detect all issues"; - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar - fi + - ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar + - ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar cache: paths: From 8b17d3dfaf32db217e4bf4df34ae924fd00c7ad3 Mon Sep 17 00:00:00 2001 From: mfeix Date: Fri, 23 Jul 2021 13:58:25 +0200 Subject: [PATCH 6/6] fix(Container-Scan) Try add Extra args variable --- container-scan.gitlab-ci.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/container-scan.gitlab-ci.yml b/container-scan.gitlab-ci.yml index 9eb533e..93107e7 100644 --- a/container-scan.gitlab-ci.yml +++ b/container-scan.gitlab-ci.yml @@ -4,13 +4,14 @@ variables: TRIVY_VERSION: 0.18.3 EXITCODE: 1 + TRIVY_EXTRA_ARGS: "--no-progress --auto-refresh --ignore-unfixed" before_script: - curl -L "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" --output trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz script: - mvn $MAVEN_CLI_OPTS compile jib:buildTar -DskipTests - - ./trivy --cache-dir .trivycache/ --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input target/jib-image.tar - - ./trivy --cache-dir .trivycache/ --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input target/jib-image.tar + - ./trivy --cache-dir .trivycache/ $TRIVY_EXTRA_ARGS --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input target/jib-image.tar + - ./trivy --cache-dir .trivycache/ $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --input target/jib-image.tar cache: paths: - .trivycache/ @@ -29,14 +30,14 @@ DOCKERFILE_LOCATION: $CI_PROJECT_DIR/Dockerfile CONTEXT_LOCATION: $CI_PROJECT_DIR EXITCODE: 1 + TRIVY_EXTRA_ARGS: "--no-progress --auto-refresh --ignore-unfixed" before_script: - wget "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" - tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz script: - /kaniko/executor --context $CONTEXT_LOCATION --dockerfile $DOCKERFILE_LOCATION --cache-dir cache/image --tarPath image.tar --no-push --destination image --skip-tls-verify - - ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --no-progress --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar - - ./trivy --cache-dir .trivycache/ --ignore-unfixed --exit-code $EXITCODE --severity HIGH,CRITICAL --no-progress --auto-refresh --input image.tar - + - ./trivy --cache-dir .trivycache/ $TRIVY_EXTRA_ARGS --exit-code 0 --cache-dir .trivycache/ --severity HIGH,CRITICAL --format template --template "@contrib/junit.tpl" -o junit-report.xml --input image.tar + - ./trivy --cache-dir .trivycache/ $TRIVY_EXTRA_ARGS --exit-code $EXITCODE --cache-dir .trivycache/ --severity HIGH,CRITICAL --input image.tar cache: paths: - .trivycache/