feat(misconf): Improve logging experience when --ignorefile not found

[simar7]

Discussed in #7089

^{Originally posted by mdirkse July 3, 2024}

Description

If an ignore file is specified using the --ignorefile flag and that file doesn't exist Trivy does not produce any warning or error as a result of the misconfiguration.

Desired Behavior

If I configure a --ignorefile flag and the file it poitns to doesn't exist I expect Trivy to fail with a message that the file is missing or at the very least produce a clearly visible warning about the problem.

Actual Behavior

The missing file is silently ignored and no indication is given of the misconfiguration.

Reproduction Steps

1. Create an empty directory and, inside, create an empty main.tf file
2. Run trivy as follows from inside the directory: trivy config --ignorefile non-existant.yaml . --debug
3. Marvel as it totally ignores the fact that the ignorefile doesn't actually exist

Target

AWS

Scanner

Misconfiguration

Output Format

Table

Mode

Standalone

Debug Output

2024-07-03T11:48:02+02:00	DEBUG	Cache dir	dir="/home/test/.cache/trivy"
2024-07-03T11:48:02+02:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-07-03T11:48:02+02:00	INFO	Misconfiguration scanning is enabled
2024-07-03T11:48:02+02:00	DEBUG	Policies successfully loaded from disk
2024-07-03T11:48:02+02:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-07-03T11:48:02+02:00	DEBUG	Initializing scan cache...	type="memory"
2024-07-03T11:48:02+02:00	DEBUG	[nuget] The nuget packages directory couldn't be found. License search disabled
2024-07-03T11:48:02+02:00	DEBUG	Scanning files for misconfigurations...	scanner="Terraform"
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.334904436 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13950292872129774449 462327134 0x794e200} <nil>} {{{0 0} {[] {} 0xc002bdf850} map[main.tf:0xc0026f3ec8] 0}}}) .}] at '.'...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.337353926 terraform.scanner.rego           Overriding filesystem for checks!
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.338226381 terraform.scanner.rego           Loaded 3 embedded libraries.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.386686920 terraform.scanner.rego           Loaded 192 embedded policies.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.443052531 terraform.scanner.rego           Loaded 195 checks from disk.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.443383089 terraform.scanner.rego           Overriding filesystem for data!
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741278207 terraform.parser.<root>          Setting project/module root to '.'
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741304842 terraform.parser.<root>          Parsing FS from '.'
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741321287 terraform.parser.<root>          Parsing 'main.tf'...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741444275 terraform.parser.<root>          Added file main.tf.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741538386 terraform.scanner                Scanning root module '.'...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741546217 terraform.parser.<root>          Setting project/module root to '.'
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741550273 terraform.parser.<root>          Parsing FS from '.'
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741558717 terraform.parser.<root>          Parsing 'main.tf'...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741633986 terraform.parser.<root>          Added file main.tf.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741643240 terraform.parser.<root>          Evaluating module...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741704561 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741718458 terraform.parser.<root>          Added 0 variables from tfvars.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741762398 terraform.parser.<root>          Working directory for module evaluation is "/home/maarten/Desktop/test"
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741813565 terraform.parser.<root>.evaluator Filesystem key is 'ec10d010430afa2aca76276b18b5e38ab5a53af5ee2f782377570c2e9b491235'
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741820271 terraform.parser.<root>.evaluator Starting module evaluation...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741860521 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741866442 terraform.parser.<root>.evaluator All submodules are evaluated at i=0
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741870937 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741902687 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741907769 terraform.parser.<root>.evaluator Module evaluation complete.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741912898 terraform.parser.<root>          Finished parsing module 'root'.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.741920009 terraform.executor               Adapting modules...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.742114368 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.742122027 terraform.executor               Using max routines of 11
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.742202835 terraform.executor               Initialized 487 rule(s).
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.742208659 terraform.executor               Created pool with 11 worker(s) to apply rules.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.742856975 terraform.scanner.rego           Scanning 1 inputs...
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.744454344 terraform.executor               Finished applying rules.
2024-07-03T11:48:02+02:00	DEBUG	[misconf] 48:02.744469334 terraform.executor               Applying ignores...
2024-07-03T11:48:02+02:00	DEBUG	OS is not detected.
2024-07-03T11:48:02+02:00	INFO	Detected config files	num=1
2024-07-03T11:48:02+02:00	DEBUG	Scanned config file	path="."

Operating System

Linux

Version

Version: 0.53.0
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-07-02 09:48:31.364978325 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[sgaist]

Hi,

I would like to tackle this for Hacktoberfest.

[itaysk]

@sgaist there's no Hacktoberfest campaign from us but you're still welcome to work on this

[matthewriedel-flux]

This actually broke our automation when merged into 0.57.0. Our workflow relied on the ability for Trivy to use the ignore file if present in a particular place (as defined by the TRIVY_IGNOREFILE variable), but carry on otherwise. This could be considered a breaking change for other people, I reckon, as well.