Background
Trivy does not natively support multiple files which dictate which CVEs to ignore. We want to add support for that concept in our internal tool.
Context
We maintain multiple Long Term Support branches/versions of our product. This means that some of our older versions of software can be more susceptible to vulnerabilities, if the libraries are out of date. In general, we want to update all of our dependencies. Sometimes however, it can be determined that a vulnerability does not affect hte product, and thus we want to ignore it.
The challenge is that with a single trivyignore file, we ignore this vulnerability for all versions/branches. This can lead to situations where we swallow a vulnerabilty on one branch, and that leads us to not recognize its existence on other branhces.
Solution Ideas
This change should be isolated to the trivy scanner implementation so that it is opaque to consumers of it.
The main question likely is around the lifecycle of a scanner compared to the lifecycle of these ignore files. I would image that a scanner would be constructed/initialized with a set of files, and they would not change.
Here is what I had in mind:
- You can configure the scanner with a list of files
- If the list is empty, the scanner does not clarify the
--ignorefile parameter, since the default is .trivyignore and we assume that current consumers rely on that behavior
- If the list is non-empty, the scanner will build a temporary file, which is a concatenation of the provided files. It will pass that new temporary file as the
--ignorefile parameter, and it will delete the file, when the object is deleted
Background
Trivy does not natively support multiple files which dictate which CVEs to ignore. We want to add support for that concept in our internal tool.
Context
We maintain multiple Long Term Support branches/versions of our product. This means that some of our older versions of software can be more susceptible to vulnerabilities, if the libraries are out of date. In general, we want to update all of our dependencies. Sometimes however, it can be determined that a vulnerability does not affect hte product, and thus we want to ignore it.
The challenge is that with a single trivyignore file, we ignore this vulnerability for all versions/branches. This can lead to situations where we swallow a vulnerabilty on one branch, and that leads us to not recognize its existence on other branhces.
Solution Ideas
This change should be isolated to the trivy scanner implementation so that it is opaque to consumers of it.
The main question likely is around the lifecycle of a scanner compared to the lifecycle of these ignore files. I would image that a scanner would be constructed/initialized with a set of files, and they would not change.
Here is what I had in mind:
--ignorefileparameter, since the default is.trivyignoreand we assume that current consumers rely on that behavior--ignorefileparameter, and it will delete the file, when the object is deleted