feat: add support for .trivyignore.yaml (#5070)

* feat: add support for .trivyignore.yaml Signed-off-by: knqyf263 <[email protected]> * add test for trivyignore.yaml * Add doublestar support Signed-off-by: knqyf263 <[email protected]> * go mod tidy Signed-off-by: knqyf263 <[email protected]> * update docs * test: fix Signed-off-by: knqyf263 <[email protected]> * fix: load .trivyignore once Signed-off-by: knqyf263 <[email protected]> * feat: add a debug log Signed-off-by: knqyf263 <[email protected]> * docs: add a table for fields Signed-off-by: knqyf263 <[email protected]> * fix: skip empty results Signed-off-by: knqyf263 <[email protected]> * revert the change Signed-off-by: knqyf263 <[email protected]> --------- Signed-off-by: knqyf263 <[email protected]> Co-authored-by: DmitriyLewen <[email protected]>
aquasecurity · Aug 31, 2023 · 9628b1c · 9628b1c
1 parent 4547e27
commit 9628b1c
Show file tree

Hide file tree

Showing 12 changed files with 1,124 additions and 728 deletions.
diff --git a/docs/docs/configuration/filtering.md b/docs/docs/configuration/filtering.md
@@ -204,14 +204,17 @@ See https://avd.aquasec.com/misconfig/avd-aws-0081
 
 ## By Finding IDs
 
+Trivy supports the [.trivyignore](#trivyignore) and [.trivyignore.yaml](#trivyignoreyaml) ignore files.
+
+### .trivyignore
+
 |     Scanner      | Supported |
 |:----------------:|:---------:|
 |  Vulnerability   |     ✓     |
 | Misconfiguration |     ✓     |
 |      Secret      |     ✓     |
 |     License      |           |
 
-Use `.trivyignore`.
 
 ```bash
 $ cat .trivyignore
@@ -251,6 +254,92 @@ Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
 
 </details>
 
+### .trivyignore.yaml
+
+|     Scanner      | Supported |
+|:----------------:|:---------:|
+|  Vulnerability   |     ✓     |
+| Misconfiguration |     ✓     |
+|      Secret      |     ✓     |
+|     License      |     ✓     |
+
+!!! warning "EXPERIMENTAL"
+    This feature might change without preserving backwards compatibility.
+
+When the extension of the specified ignore file is either `.yml` or `.yaml`, Trivy will load the file as YAML.
+For the `.trivyignore.yaml` file, you can set ignored IDs separately for `vulnerabilities`, `misconfigurations`, `secrets`, or `licenses`[^1].
+
+Available fields:
+
+| Field      | Required | Type                | Description                                                                                                |
+|------------|:--------:|---------------------|------------------------------------------------------------------------------------------------------------|
+| id         |    ✓     | string              | The identifier of the vulnerability, misconfiguration, secret, or license[^1].                             |
+| paths      |          | string array        | The list of file paths to be ignored. If `paths` is not set, the ignore finding is applied to all files.   |
+| expired_at |          | date (`yyyy-mm-dd`) | The expiration date of the ignore finding. If `expired_at` is not set, the ignore finding is always valid. |
+| statement  |          | string              | The reason for ignoring the finding. (This field is not used for filtering.)                               |
+
+```bash
+$ cat .trivyignore.yaml
+vulnerabilities:
+  - id: CVE-2022-40897
+    paths:
+      - "usr/local/lib/python3.9/site-packages/setuptools-58.1.0.dist-info/METADATA"
+    statement: Accept the risk
+  - id: CVE-2023-2650
+  - id: CVE-2023-3446
+  - id: CVE-2023-3817
+  - id: CVE-2023-29491
+    expired_at: 2023-09-01
+
+misconfigurations:
+  - id: AVD-DS-0001
+  - id: AVD-DS-0002
+    paths:
+      - "docs/Dockerfile"
+    statement: The image needs root privileges
+
+secrets:
+  - id: aws-access-key-id
+  - id: aws-secret-access-key
+    paths:
+      - "foo/bar/aws.secret"
+
+licenses:
+  - id: GPL-3.0 # License name is used as ID
+    paths:
+      - "usr/share/gcc/python/libstdcxx/v6/__init__.py"
+```
+
+Since this feature is experimental, you must explicitly specify the YAML file path using the `--ignorefile` flag.
+Once this functionality is stable, the YAML file will be loaded automatically.
+
+```bash
+$ trivy image --ignorefile ./.trivyignore.yaml python:3.9.16-alpine3.16
+```
+
+<details>
+<summary>Result</summary>
+
+```bash
+2023-08-31T11:10:27.155+0600	INFO	Vulnerability scanning is enabled
+2023-08-31T11:10:27.155+0600	INFO	Secret scanning is enabled
+2023-08-31T11:10:27.155+0600	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
+2023-08-31T11:10:27.155+0600	INFO	Please see also https://aquasecurity.github.io/trivy/dev/docs/scanner/secret/#recommendation for faster secret detection
+2023-08-31T11:10:29.164+0600	INFO	Detected OS: alpine
+2023-08-31T11:10:29.164+0600	INFO	Detecting Alpine vulnerabilities...
+2023-08-31T11:10:29.169+0600	INFO	Number of language-specific files: 1
+2023-08-31T11:10:29.170+0600	INFO	Detecting python-pkg vulnerabilities...
+
+python:3.9.16-alpine3.16 (alpine 3.16.5)
+========================================
+Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
+
+
+```
+
+</details>
+
+
 ## By Vulnerability Target
 |     Scanner      | Supported |
 |:----------------:|:---------:|
@@ -425,3 +514,5 @@ resource "google_container_cluster" "one_off_test" {
   location = var.region
 }
 ```
+
+[^1]: license name is used as id for `.trivyignore.yaml` files
diff --git a/go.mod b/go.mod
@@ -31,7 +31,7 @@ require (
 	github.com/aws/aws-sdk-go-v2/config v1.18.25
 	github.com/aws/aws-sdk-go-v2/service/ec2 v1.98.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.21.0
-	github.com/bmatcuk/doublestar v1.3.4
+	github.com/bmatcuk/doublestar/v4 v4.6.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.1.2
 	github.com/containerd/containerd v1.7.3
@@ -196,7 +196,6 @@ require (
 	github.com/aws/smithy-go v1.14.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
-	github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
 	github.com/briandowns/spinner v1.23.0 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect

diff --git a/go.sum b/go.sum
@@ -521,8 +521,6 @@ github.com/bitly/go-simplejson v0.5.0/go.mod h1:cXHtHw4XUPsvGaxgjIAn8PhEWG9NfngE
 github.com/bketelsen/crypt v0.0.4/go.mod h1:aI6NrJ0pMGgvZKL1iVgXLnfIFJtfV+bKCoqOes/6LfM=
 github.com/blang/semver v3.1.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/bmatcuk/doublestar v1.3.4 h1:gPypJ5xD31uhX6Tf54sDPUOBXTqKH4c9aPY66CyQrS0=
-github.com/bmatcuk/doublestar v1.3.4/go.mod h1:wiQtGV+rzVYxB7WIlirSN++5HPtPlXEo9MEoZQC/PmE=
 github.com/bmatcuk/doublestar/v4 v4.6.0 h1:HTuxyug8GyFbRkrffIpzNCSK4luc0TY3wzXvzIZhEXc=
 github.com/bmatcuk/doublestar/v4 v4.6.0/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869/go.mod h1:Ekp36dRnpXw/yCqJaO+ZrUyxD+3VXMFFr56k5XYrpB4=

diff --git a/pkg/cloud/report/report.go b/pkg/cloud/report/report.go
@@ -77,7 +77,7 @@ func Write(rep *Report, opt flag.Options, fromCache bool) error {
 	for _, resultsAtTime := range rep.Results {
 		for _, res := range resultsAtTime.Results {
 			resCopy := res
-			if err := result.FilterResult(ctx, &resCopy, result.FilterOption{
+			if err := result.FilterResult(ctx, &resCopy, result.IgnoreConfig{}, result.FilterOption{
 				Severities:         opt.Severities,
 				IncludeNonFailures: opt.IncludeNonFailures,
 			}); err != nil {

diff --git a/pkg/commands/artifact/run.go b/pkg/commands/artifact/run.go
@@ -273,11 +273,9 @@ func (r *runner) scanArtifact(ctx context.Context, opts flag.Options, initialize
 
 func (r *runner) Filter(ctx context.Context, opts flag.Options, report types.Report) (types.Report, error) {
 	// Filter results
-	err := result.Filter(ctx, report, opts.FilterOpts())
-	if err != nil {
+	if err := result.Filter(ctx, report, opts.FilterOpts()); err != nil {
 		return types.Report{}, xerrors.Errorf("filtering error: %w", err)
 	}
-
 	return report, nil
 }
 

diff --git a/pkg/fanal/walker/walk.go b/pkg/fanal/walker/walk.go
@@ -5,7 +5,7 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/bmatcuk/doublestar"
+	"github.com/bmatcuk/doublestar/v4"
 
 	"github.com/aquasecurity/trivy/pkg/fanal/analyzer"
 	"github.com/aquasecurity/trivy/pkg/fanal/utils"
@@ -15,7 +15,11 @@ import (
 var (
 	// These variables are exported so that a tool importing Trivy as a library can override these values.
 	AppDirs    = []string{".git"}
-	SystemDirs = []string{"proc", "sys", "dev"}
+	SystemDirs = []string{
+		"proc",
+		"sys",
+		"dev",
+	}
 )
 
 const (

diff --git a/pkg/log/logger.go b/pkg/log/logger.go
@@ -114,3 +114,10 @@ func Fatal(err error) {
 	}
 	Logger.Fatal(err)
 }
+
+func String(key, val string) zap.Field {
+	if key == "" || val == "" {
+		return zap.Skip()
+	}
+	return zap.String(key, val)
+}