Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump trivy to v0.57.1 #263

Merged
merged 1 commit into from
Nov 25, 2024
Merged

bump trivy to v0.57.1 #263

merged 1 commit into from
Nov 25, 2024

Conversation

nikpivkin
Copy link
Contributor

@nikpivkin nikpivkin commented Nov 19, 2024
edited
Loading

In this PR:

  • trivy updated to v0.57.1
  • added a package with flags and options since they were removed from Trivy feat(aws)!: Remove aws subcommand trivy#6995
  • the plugin only uses Rego checks
  • added support for --no-progress flag to suppress progressbar
  • the log package from trivy (slog) is used for logging.

@nikpivkin
bump trivy to v0.57.1
96170d0 
Signed-off-by: Nikita Pivkin <[email protected]>
nikpivkin
nikpivkin commented Nov 20, 2024
View reviewed changes
pkg/commands/run_test.go
Comment on lines -169 to -186
{
"Type": "AWS",
"ID": "AVD-AWS-0092",
"AVDID": "AVD-AWS-0092",
"Title": "S3 Buckets not publicly accessible through ACL.",
"Description": "Buckets should not have ACLs that allow public access",
"Resolution": "Don't use canned ACLs or switch to private acl",
"Severity": "HIGH",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0092",
"References": [
"https://avd.aquasec.com/misconfig/avd-aws-0092"
],
"Status": "PASS",
"Layer": {},
"CauseMetadata": {
"Resource": "arn:aws:s3:::examplebucket",
"Provider": "aws",
"Service": "s3",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This check is still considered passed, but due to the specificity of Rego checks, all passed checks will have an empty target.

nikpivkin
nikpivkin commented Nov 20, 2024
View reviewed changes
pkg/commands/run_test.go
Comment on lines +185 to +210
{
"Type": "AWS",
"ID": "AVD-AWS-0089",
"AVDID": "AVD-AWS-0089",
"Title": "S3 Bucket Logging",
"Description": "Ensures S3 bucket logging is enabled for S3 buckets",
"Message": "Bucket has logging disabled",
"Namespace": "builtin.aws.s3.aws0089",
"Query": "deny",
"Resolution": "Add a logging block to the resource to enable access logging",
"Severity": "LOW",
"PrimaryURL": "https://avd.aquasec.com/misconfig/avd-aws-0089",
"References": [
"https://avd.aquasec.com/misconfig/avd-aws-0089"
],
"Status": "FAIL",
"Layer": {},
"CauseMetadata": {
"Resource": "arn:aws:s3:::examplebucket",
"Provider": "aws",
"Service": "s3",
"Code": {
"Lines": null
}
}
},
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Strange that this check didn't work before, but according to the s3onlycache.json cache file the bucket has no logging.

@nikpivkin nikpivkin marked this pull request as ready for review November 20, 2024 09:08
@nikpivkin nikpivkin requested a review from simar7 as a code owner November 20, 2024 09:08
@nikpivkin
Copy link
Contributor Author

nikpivkin commented Nov 20, 2024
edited
Loading

@simar7 What do you think about if we move the JSON content of reports from go to separate golden files to make them easier to maintain? I think we can also make the tests in run_test.go integration and set options via flags, as is done in Trivy. I can do this in a separate PR.

@simar7
Copy link
Member

simar7 commented Nov 23, 2024

@simar7 What do you think about if we move the JSON content of reports from go to separate golden files to make them easier to maintain? I think we can also make the tests in run_test.go integration and set options via flags, as is done in Trivy. I can do this in a separate PR.

Sure, sounds good to me.

simar7
simar7 reviewed Nov 23, 2024
View reviewed changes
pkg/report/report.go
Comment on lines +86 to +87
// combine results without a target for consistency of the result
filtered = combineResults(filtered)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's this for? Should we do it as a separate feature PR?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Results can have multiple records without a target in different order which sometimes causes tests to fail. This function simply merges the results without a target and sorts the misconfigs by AVDID.

@simar7 simar7 self-requested a review November 25, 2024 22:14
@simar7 simar7 added this pull request to the merge queue Nov 25, 2024
Merged via the queue into aquasecurity:main with commit 8c23d8f Nov 25, 2024
5 checks passed
@nikpivkin nikpivkin deleted the bump-trivy branch November 26, 2024 04:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@simar7 simar7 simar7 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nikpivkin @simar7