Skip to content

Commit

Permalink
Support ignoring different policies for Trivy
Browse files Browse the repository at this point in the history
  • Loading branch information
@toanhminh0412
toanhminh0412 committed Jan 23, 2025
1 parent 6c342ac commit ea485b1
Show file tree
Hide file tree
Showing 4 changed files with 176 additions and 0 deletions.
105 changes: 105 additions & 0 deletions templates/trivy/trivy-advanced-policies-cm.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
{{- if .Values.trivy.enabled }}
{{- if eq .Values.trivy.ignorePolicy "advanced" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-advanced-policies
namespace: {{ .Release.Namespace | quote }}
data:
advanced.rego: |
package trivy
import data.lib.trivy
default ignore = false
nvd_v3_vector = v {
v := input.CVSS.nvd.v3
}
# Ignore a vulnerability which requires high privilege
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.UserInteraction == "Required"
}
ignore {
input.PkgName == "openssl"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local"}
cvss_vector.AttackVector == ignore_attack_vectors[_]
}
ignore {
input.PkgName == "openssl"
# Evaluate severity
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
# Evaluate CWE-ID
deny_cwe_ids := {
"CWE-119", # Improper Restriction of Operations within the Bounds of a Memory Buffer
"CWE-200", # Exposure of Sensitive Information to an Unauthorized Actor
}
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}
ignore {
input.PkgName == "bash"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
cvss_vector.AttackVector == ignore_attack_vectors[_]
# Evaluate severity
input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
}
ignore {
input.PkgName == "django"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate Attack Vector
ignore_attack_vectors := {"Physical", "Local"}
cvss_vector.AttackVector == ignore_attack_vectors[_]
# Evaluate severity
input.Severity == {"LOW", "MEDIUM"}[_]
# Evaluate CWE-ID
deny_cwe_ids := {
"CWE-89", # SQL Injection
"CWE-78", # OS Command Injection
}
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}
ignore {
input.PkgName == "jquery"
# Split CVSSv3 vector
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
# Evaluate CWE-ID
deny_cwe_ids := {"CWE-79"} # XSS
count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
}
{{- end }}
{{- end }}
56 changes: 56 additions & 0 deletions templates/trivy/trivy-basic-policies-cm.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
{{- if .Values.trivy.enabled }}
{{- if eq .Values.trivy.ignorePolicy "basic" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: trivy-basic-policies
namespace: {{ .Release.Namespace | quote }}
data:
basic.rego: |
package trivy
import data.lib.trivy
default ignore = false
ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
ignore_severities := {"LOW", "MEDIUM"}
nvd_v3_vector = v {
v := input.CVSS.nvd.v3
}
ignore {
input.PkgName == ignore_pkgs[_]
}
ignore {
input.Severity == ignore_severities[_]
}
# Ignore a vulnerability which is not remotely exploitable
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.AttackVector != "Network"
}
# Ignore a vulnerability which requires high privilege
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
cvss_vector.UserInteraction == "Required"
}
# Ignore CSRF
ignore {
# https://cwe.mitre.org/data/definitions/352.html
input.CweIDs[_] == "CWE-352"
}
{{- end }}
{{- end }}
13 changes: 13 additions & 0 deletions templates/trivy/trivy-sts.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,10 @@ spec:
value: {{ .Values.trivy.severity | quote }}
- name: "SCANNER_TRIVY_IGNORE_UNFIXED"
value: {{ .Values.trivy.ignoreUnfixed | default false | quote }}
{{- if ne .Values.trivy.ignorePolicy "none" }}
- name: "SCANNER_TRIVY_IGNORE_POLICY"
value: "/home/scanner/policies/{{ .Values.trivy.ignorePolicy }}.rego"
{{- end }}
- name: "SCANNER_TRIVY_SKIP_UPDATE"
value: {{ .Values.trivy.skipUpdate | default false | quote }}
- name: "SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE"
Expand Down Expand Up @@ -148,6 +152,10 @@ spec:
- name: trivy-internal-certs
mountPath: /etc/harbor/ssl/trivy
{{- end }}
{{- if ne .Values.trivy.ignorePolicy "none" }}
- name: policies
mountPath: /home/scanner/policies
{{- end }}
{{- if .Values.caBundleSecretName }}
{{ include "harbor.caBundleVolumeMount" . | indent 10 }}
{{- end }}
Expand Down Expand Up @@ -190,6 +198,11 @@ spec:
claimName: {{ $trivy.existingClaim }}
{{- end }}
{{- end }}
{{- if ne .Values.trivy.ignorePolicy "none" }}
- name: policies
configMap:
name: trivy-{{ .Values.trivy.ignorePolicy }}-policies
{{- end }}
{{- with .Values.trivy.nodeSelector }}
nodeSelector:
{{ toYaml . | indent 8 }}
Expand Down
2 changes: 2 additions & 0 deletions values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -841,6 +841,8 @@ trivy:
severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
# ignoreUnfixed the flag to display only fixed vulnerabilities
ignoreUnfixed: false
# Specify policies to ignore when displaying vulnerabilities. Options are "none", "basic" and "advanced".
ignorePolicy: "none"
# insecure the flag to skip verifying registry certificate
insecure: false
# gitHubToken the GitHub access token to download Trivy DB
Expand Down

0 comments on commit ea485b1

Please sign in to comment.