.trivyignore list added

Required-githooks: true Signed-off-by: Tomasz Gromadzki <[email protected]>
grom72 · Dec 20, 2023 · ee964b7 · ee964b7
1 parent 85334ea
commit ee964b7
Show file tree

Hide file tree

Showing 3 changed files with 271 additions and 2 deletions.
diff --git a/.github/workflows/trivit.yml b/.github/workflows/trivit.yml
@@ -33,12 +33,12 @@ jobs:
 
       - name: Generate trivy report
         run: |
-          trivy fs --list-all-pkgs --exit-code 0 --format template --template "@./ci/csv.tpl" \
+          trivy fs -c ci/trivy.yaml \
             --output trivy-report-daos.$(git branch --show-current | sed -e 's/release\///').csv .
 
       - uses: actions/upload-artifact@v4
         with:
           path: trivy-report-daos.*
 
       - name: Scan with trivy
-        run: trivy fs --list-all-pkgs --exit-code 1 .
+        run: trivy fs -c ci/trivy.yaml --list-all-pkgs --exit-code 1 .
diff --git a/ci/.trivyignore b/ci/.trivyignore
@@ -0,0 +1,17 @@
+## Accept the risk
+CVE-2022-40149
+CVE-2022-40150
+CVE-2022-45685
+CVE-2022-45693
+CVE-2023-1436
+CVE-2023-34453
+CVE-2023-34454
+CVE-2023-34455
+GHSA-58qw-p7qm-5rvh
+CVE-2021-22569
+CVE-2021-22570
+CVE-2022-3509
+CVE-2022-3510
+CVE-2022-3171
+CVE-2023-39410
+CVE-2023-43642
diff --git a/ci/trivy.yaml b/ci/trivy.yaml
@@ -0,0 +1,252 @@
+cache:
+  backend: fs
+  clear: false
+  dir:
+  redis:
+    ca: ""
+    cert: ""
+    key: ""
+    tls: false
+    ttl: 0s
+config: trivy.yaml
+db:
+  download-java-only: false
+  download-only: false
+  java-repository: ghcr.io/aquasecurity/trivy-java-db
+  java-skip-update: false
+  light: false
+  no-progress: false
+  repository: ghcr.io/aquasecurity/trivy-db
+  skip-update: false
+debug: false
+dependency-tree: false
+exit-code: 0
+format: template
+generate-default-config: false
+ignore-policy: ""
+ignorefile: ./ci/.trivyignore
+include-dev-deps: false
+insecure: false
+license:
+  confidencelevel: "0.9"
+  forbidden:
+    - AGPL-1.0
+    - AGPL-3.0
+    - CC-BY-NC-1.0
+    - CC-BY-NC-2.0
+    - CC-BY-NC-2.5
+    - CC-BY-NC-3.0
+    - CC-BY-NC-4.0
+    - CC-BY-NC-ND-1.0
+    - CC-BY-NC-ND-2.0
+    - CC-BY-NC-ND-2.5
+    - CC-BY-NC-ND-3.0
+    - CC-BY-NC-ND-4.0
+    - CC-BY-NC-SA-1.0
+    - CC-BY-NC-SA-2.0
+    - CC-BY-NC-SA-2.5
+    - CC-BY-NC-SA-3.0
+    - CC-BY-NC-SA-4.0
+    - Commons-Clause
+    - Facebook-2-Clause
+    - Facebook-3-Clause
+    - Facebook-Examples
+    - WTFPL
+  full: false
+  ignored: []
+  notice:
+    - AFL-1.1
+    - AFL-1.2
+    - AFL-2.0
+    - AFL-2.1
+    - AFL-3.0
+    - Apache-1.0
+    - Apache-1.1
+    - Apache-2.0
+    - Artistic-1.0-cl8
+    - Artistic-1.0-Perl
+    - Artistic-1.0
+    - Artistic-2.0
+    - BSL-1.0
+    - BSD-2-Clause-FreeBSD
+    - BSD-2-Clause-NetBSD
+    - BSD-2-Clause
+    - BSD-3-Clause-Attribution
+    - BSD-3-Clause-Clear
+    - BSD-3-Clause-LBNL
+    - BSD-3-Clause
+    - BSD-4-Clause
+    - BSD-4-Clause-UC
+    - BSD-Protection
+    - CC-BY-1.0
+    - CC-BY-2.0
+    - CC-BY-2.5
+    - CC-BY-3.0
+    - CC-BY-4.0
+    - FTL
+    - ISC
+    - ImageMagick
+    - Libpng
+    - Lil-1.0
+    - Linux-OpenIB
+    - LPL-1.02
+    - LPL-1.0
+    - MS-PL
+    - MIT
+    - NCSA
+    - OpenSSL
+    - PHP-3.01
+    - PHP-3.0
+    - PIL
+    - Python-2.0
+    - Python-2.0-complete
+    - PostgreSQL
+    - SGI-B-1.0
+    - SGI-B-1.1
+    - SGI-B-2.0
+    - Unicode-DFS-2015
+    - Unicode-DFS-2016
+    - Unicode-TOU
+    - UPL-1.0
+    - W3C-19980720
+    - W3C-20150513
+    - W3C
+    - X11
+    - Xnet
+    - Zend-2.0
+    - zlib-acknowledgement
+    - Zlib
+    - ZPL-1.1
+    - ZPL-2.0
+    - ZPL-2.1
+  permissive: []
+  reciprocal:
+    - APSL-1.0
+    - APSL-1.1
+    - APSL-1.2
+    - APSL-2.0
+    - CDDL-1.0
+    - CDDL-1.1
+    - CPL-1.0
+    - EPL-1.0
+    - EPL-2.0
+    - FreeImage
+    - IPL-1.0
+    - MPL-1.0
+    - MPL-1.1
+    - MPL-2.0
+    - Ruby
+  restricted:
+    - BCL
+    - CC-BY-ND-1.0
+    - CC-BY-ND-2.0
+    - CC-BY-ND-2.5
+    - CC-BY-ND-3.0
+    - CC-BY-ND-4.0
+    - CC-BY-SA-1.0
+    - CC-BY-SA-2.0
+    - CC-BY-SA-2.5
+    - CC-BY-SA-3.0
+    - CC-BY-SA-4.0
+    - GPL-1.0
+    - GPL-2.0
+    - GPL-2.0-with-autoconf-exception
+    - GPL-2.0-with-bison-exception
+    - GPL-2.0-with-classpath-exception
+    - GPL-2.0-with-font-exception
+    - GPL-2.0-with-GCC-exception
+    - GPL-3.0
+    - GPL-3.0-with-autoconf-exception
+    - GPL-3.0-with-GCC-exception
+    - LGPL-2.0
+    - LGPL-2.1
+    - LGPL-3.0
+    - NPL-1.0
+    - NPL-1.1
+    - OSL-1.0
+    - OSL-1.1
+    - OSL-2.0
+    - OSL-2.1
+    - OSL-3.0
+    - QPL-1.0
+    - Sleepycat
+  unencumbered:
+    - CC0-1.0
+    - Unlicense
+    - 0BSD
+list-all-pkgs: false
+misconfiguration:
+  cloudformation:
+    params: []
+  helm:
+    set: []
+    set-file: []
+    set-string: []
+    values: []
+  include-non-failures: false
+  policy-bundle-repository: ghcr.io/aquasecurity/trivy-policies:0
+  reset-policy-bundle: false
+  scanners:
+    - azure-arm
+    - cloudformation
+    - dockerfile
+    - helm
+    - kubernetes
+    - terraform
+    - terraformplan
+  terraform:
+    exclude-downloaded-modules: false
+    vars: []
+module:
+  dir:
+  enable-modules: []
+output: ""
+output-plugin-arg: ""
+quiet: false
+registry:
+  password: []
+  token: ""
+  username: []
+rego:
+  data: []
+  namespaces: []
+  policy: []
+  skip-policy-update: false
+  trace: false
+report: all
+reset: false
+scan:
+  compliance: ""
+  file-patterns: []
+  offline: false
+  parallel: 5
+  rekor-url: https://rekor.sigstore.dev
+  sbom-sources: []
+  scanners:
+    - vuln
+    - secret
+  skip-dirs: []
+  skip-files: []
+  slow: false
+secret:
+  config: trivy-secret.yaml
+server:
+  addr: ""
+  custom-headers: []
+  token: ""
+  token-header: Trivy-Token
+severity:
+  - UNKNOWN
+  - LOW
+  - MEDIUM
+  - HIGH
+  - CRITICAL
+template: '@./ci/csv.tpl'
+timeout: 5m0s
+version: false
+vulnerability:
+  ignore-status: []
+  ignore-unfixed: false
+  type:
+    - os
+    - library