From 58be2dabb52d77ffef521e8056a5235a4007de78 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Thu, 21 Apr 2022 18:27:27 +0000 Subject: [PATCH 1/9] force run trivy stage --- kubernetes/linux/Dockerfile.multiarch | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index e94bf71bb..cf4d593d4 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -43,4 +43,10 @@ RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CR # Revert to base layer before vulnscan FROM base_image AS ContainerInsights +# force the trivy stage to run +# docker buildx (BUILDKIT) does not build stages which do not affect the final stage +# by copying over a file we create a dependency +# see: https://github.com/docker/build-push-action/issues/377 +COPY --from=vulnscan /usr/local/bin/trivy /usr/local/bin/trivy +RUN rm /usr/local/bin/trivy CMD [ "/opt/main.sh" ] \ No newline at end of file From af3c8f84a7e767f3ae39214869118b7698a17757 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Mon, 25 Apr 2022 23:12:07 +0000 Subject: [PATCH 2/9] add trivyignore and second trivy check --- .pipelines/.trivyignore | 6 ++++++ kubernetes/linux/Dockerfile.multiarch | 7 +++++-- 2 files changed, 11 insertions(+), 2 deletions(-) create mode 100644 .pipelines/.trivyignore diff --git a/.pipelines/.trivyignore b/.pipelines/.trivyignore new file mode 100644 index 000000000..8b7d522f1 --- /dev/null +++ b/.pipelines/.trivyignore @@ -0,0 +1,6 @@ +# related to telegraf +CVE-2021-43816 +CVE-2022-23648 +CVE-2022-24450 +CVE-2022-26652 +CVE-2019-3826 \ No newline at end of file diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index cf4d593d4..a7b8fbda1 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM golang:1.15.14 AS builder +FROM --platform=$BUILDPLATFORM golang:1.18.1 AS builder ARG TARGETOS TARGETARCH RUN /usr/bin/apt-get update && /usr/bin/apt-get install git g++ make pkg-config libssl-dev libpam0g-dev rpm librpm-dev uuid-dev libkrb5-dev python sudo gcc-aarch64-linux-gnu -y @@ -39,7 +39,10 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} # Do vulnerability scan in a seperate stage to avoid adding layer FROM base_image AS vulnscan COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy -RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL --skip-files "/usr/sbin/telegraf" --skip-files "/opt/telegraf" --skip-files "/usr/local/bin/trivy" / +COPY .pipelines/.trivyignore .trivyignore +RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / +RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib +RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1 # Revert to base layer before vulnscan FROM base_image AS ContainerInsights From 02832c05ec75414aa3c22576db25ebe69ad6123f Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Mon, 25 Apr 2022 23:43:24 +0000 Subject: [PATCH 3/9] revert extra change --- kubernetes/linux/Dockerfile.multiarch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index a7b8fbda1..349b337b3 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM golang:1.18.1 AS builder +FROM --platform=$BUILDPLATFORM golang:1.15.14 AS builder ARG TARGETOS TARGETARCH RUN /usr/bin/apt-get update && /usr/bin/apt-get install git g++ make pkg-config libssl-dev libpam0g-dev rpm librpm-dev uuid-dev libkrb5-dev python sudo gcc-aarch64-linux-gnu -y From cf5fdfe382f11a01528631717642036ddbde7e65 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 26 Apr 2022 00:06:19 +0000 Subject: [PATCH 4/9] fix vulnerability in out_oms --- source/plugins/go/src/go.mod | 3 +++ source/plugins/go/src/go.sum | 7 +++++++ 2 files changed, 10 insertions(+) diff --git a/source/plugins/go/src/go.mod b/source/plugins/go/src/go.mod index 9f30afab1..736c48e61 100644 --- a/source/plugins/go/src/go.mod +++ b/source/plugins/go/src/go.mod @@ -4,14 +4,17 @@ go 1.14 require ( github.com/Azure/azure-kusto-go v0.5.2 + github.com/Azure/go-autorest/autorest v0.11.27 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 github.com/fluent/fluent-bit-go v0.0.0-20171103221316-c4a158a6e3a7 + github.com/golang-jwt/jwt/v4 v4.4.1 // indirect github.com/golang/mock v1.4.1 github.com/google/uuid v1.3.0 github.com/microsoft/ApplicationInsights-Go v0.4.4 github.com/philhofer/fwd v1.1.1 // indirect github.com/tinylib/msgp v1.1.2 github.com/ugorji/go v1.1.2-0.20180813092308-00b869d2f4a5 + golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0-20170531160350-a96e63847dc3 k8s.io/apimachinery v0.21.0 k8s.io/client-go v0.21.0 diff --git a/source/plugins/go/src/go.sum b/source/plugins/go/src/go.sum index c5d7ea147..0ff060a95 100644 --- a/source/plugins/go/src/go.sum +++ b/source/plugins/go/src/go.sum @@ -40,6 +40,8 @@ github.com/Azure/go-autorest/autorest v0.11.12 h1:gI8ytXbxMfI+IVbI9mP2JGCTXIuhHL github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest v0.11.24 h1:1fIGgHKqVm54KIPT+q8Zmd1QlVsmHqeUGso5qm2BqqE= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= +github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= +github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= @@ -53,6 +55,7 @@ github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8K github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= +github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE= @@ -114,6 +117,8 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= +github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ= +github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -272,6 +277,8 @@ golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA= +golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From 599eaec15765b08e5fb35fd0cc356f41e225f615 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 26 Apr 2022 00:31:47 +0000 Subject: [PATCH 5/9] revert go package changes --- source/plugins/go/src/go.mod | 3 --- source/plugins/go/src/go.sum | 7 ------- 2 files changed, 10 deletions(-) diff --git a/source/plugins/go/src/go.mod b/source/plugins/go/src/go.mod index 736c48e61..9f30afab1 100644 --- a/source/plugins/go/src/go.mod +++ b/source/plugins/go/src/go.mod @@ -4,17 +4,14 @@ go 1.14 require ( github.com/Azure/azure-kusto-go v0.5.2 - github.com/Azure/go-autorest/autorest v0.11.27 // indirect github.com/Azure/go-autorest/autorest/azure/auth v0.5.11 github.com/fluent/fluent-bit-go v0.0.0-20171103221316-c4a158a6e3a7 - github.com/golang-jwt/jwt/v4 v4.4.1 // indirect github.com/golang/mock v1.4.1 github.com/google/uuid v1.3.0 github.com/microsoft/ApplicationInsights-Go v0.4.4 github.com/philhofer/fwd v1.1.1 // indirect github.com/tinylib/msgp v1.1.2 github.com/ugorji/go v1.1.2-0.20180813092308-00b869d2f4a5 - golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 // indirect gopkg.in/natefinch/lumberjack.v2 v2.0.0-20170531160350-a96e63847dc3 k8s.io/apimachinery v0.21.0 k8s.io/client-go v0.21.0 diff --git a/source/plugins/go/src/go.sum b/source/plugins/go/src/go.sum index 0ff060a95..c5d7ea147 100644 --- a/source/plugins/go/src/go.sum +++ b/source/plugins/go/src/go.sum @@ -40,8 +40,6 @@ github.com/Azure/go-autorest/autorest v0.11.12 h1:gI8ytXbxMfI+IVbI9mP2JGCTXIuhHL github.com/Azure/go-autorest/autorest v0.11.12/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw= github.com/Azure/go-autorest/autorest v0.11.24 h1:1fIGgHKqVm54KIPT+q8Zmd1QlVsmHqeUGso5qm2BqqE= github.com/Azure/go-autorest/autorest v0.11.24/go.mod h1:G6kyRlFnTuSbEYkQGawPfsCswgme4iYf6rfSKUDzbCc= -github.com/Azure/go-autorest/autorest v0.11.27 h1:F3R3q42aWytozkV8ihzcgMO4OA4cuqr3bNlsEuF6//A= -github.com/Azure/go-autorest/autorest v0.11.27/go.mod h1:7l8ybrIdUmGqZMTD0sRtAr8NvbHjfofbf8RSP2q7w7U= github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0= github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A= github.com/Azure/go-autorest/autorest/adal v0.9.13/go.mod h1:W/MM4U6nLxnIskrw4UwWzlHfGjwUS50aOsc/I3yuU8M= @@ -55,7 +53,6 @@ github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8K github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74= github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk= github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k= -github.com/Azure/go-autorest/autorest/mocks v0.4.2/go.mod h1:Vy7OitM9Kei0i1Oj+LvyAWMXJHeKH1MVlzFugfVrmyU= github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk= github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE= github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE= @@ -117,8 +114,6 @@ github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= github.com/golang-jwt/jwt/v4 v4.2.0 h1:besgBTC8w8HjP6NzQdxwKH9Z5oQMZ24ThTrHp3cZ8eU= github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg= -github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ= -github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/groupcache v0.0.0-20190702054246-869f871628b6/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= github.com/golang/groupcache v0.0.0-20191227052852-215e87163ea7/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc= @@ -277,8 +272,6 @@ golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWP golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3 h1:0es+/5331RGQPcXlMfP+WrnIIS6dNnNRe0WB02W0F4M= golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4 h1:kUhD7nTDoI3fVd9G4ORWrbV5NY0liEs/Jg2pv5f+bBA= -golang.org/x/crypto v0.0.0-20220411220226-7b82a4e95df4/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= From 7086bd6cc3d6495b251fa734c3d9f3d5e7e2006d Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 26 Apr 2022 18:42:19 +0000 Subject: [PATCH 6/9] change trivyignore location --- .github/workflows/pr-checker.yml | 2 -- .pipelines/.trivyignore | 6 ------ .trivyignore | 7 +++++++ kubernetes/linux/Dockerfile.multiarch | 1 - 4 files changed, 7 insertions(+), 9 deletions(-) delete mode 100644 .pipelines/.trivyignore create mode 100644 .trivyignore diff --git a/.github/workflows/pr-checker.yml b/.github/workflows/pr-checker.yml index f0cea063d..91e81dc16 100644 --- a/.github/workflows/pr-checker.yml +++ b/.github/workflows/pr-checker.yml @@ -56,8 +56,6 @@ jobs: format: 'table' severity: 'CRITICAL,HIGH' vuln-type: 'os,library' - #[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134 - skip-files: '/usr/sbin/telegraf,/opt/telegraf' exit-code: '1' timeout: '5m0s' ignore-unfixed: true diff --git a/.pipelines/.trivyignore b/.pipelines/.trivyignore deleted file mode 100644 index 8b7d522f1..000000000 --- a/.pipelines/.trivyignore +++ /dev/null @@ -1,6 +0,0 @@ -# related to telegraf -CVE-2021-43816 -CVE-2022-23648 -CVE-2022-24450 -CVE-2022-26652 -CVE-2019-3826 \ No newline at end of file diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 000000000..9f0cbb4a1 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,7 @@ +# related to telegraf +#[vishwa] - Fix telegraf & test all for next release - see work item #https://msazure.visualstudio.com/InfrastructureInsights/_workitems/edit/13322134 +CVE-2021-43816 +CVE-2022-23648 +CVE-2022-24450 +CVE-2022-26652 +CVE-2019-3826 \ No newline at end of file diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index 349b337b3..7506b9c95 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -39,7 +39,6 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} # Do vulnerability scan in a seperate stage to avoid adding layer FROM base_image AS vulnscan COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy -COPY .pipelines/.trivyignore .trivyignore RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1 From 41e93ab33239bd68a8db43d85348ab0bb2ef7bd4 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Tue, 26 Apr 2022 18:49:48 +0000 Subject: [PATCH 7/9] add telegraf vulns --- .trivyignore | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index 9f0cbb4a1..415220426 100644 --- a/.trivyignore +++ b/.trivyignore @@ -4,4 +4,6 @@ CVE-2021-43816 CVE-2022-23648 CVE-2022-24450 CVE-2022-26652 -CVE-2019-3826 \ No newline at end of file +CVE-2019-3826 +CVE-2022-27191 +CVE-2021-42836 \ No newline at end of file From 3263821692856d2269c7b4401e5536b010144fc9 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Wed, 27 Apr 2022 16:06:36 +0000 Subject: [PATCH 8/9] use trivyignore --- kubernetes/linux/Dockerfile.multiarch | 1 + 1 file changed, 1 insertion(+) diff --git a/kubernetes/linux/Dockerfile.multiarch b/kubernetes/linux/Dockerfile.multiarch index 7506b9c95..38103dd65 100644 --- a/kubernetes/linux/Dockerfile.multiarch +++ b/kubernetes/linux/Dockerfile.multiarch @@ -39,6 +39,7 @@ RUN chmod 775 $tmpdir/*.sh; sync; $tmpdir/setup.sh ${TARGETARCH} # Do vulnerability scan in a seperate stage to avoid adding layer FROM base_image AS vulnscan COPY --from=aquasec/trivy:latest /usr/local/bin/trivy /usr/local/bin/trivy +COPY .trivyignore .trivyignore RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / RUN trivy rootfs --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib RUN trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM --skip-files "/usr/local/bin/trivy" / > /dev/null 2>&1 && trivy rootfs --exit-code 1 --ignore-unfixed --no-progress --severity HIGH,CRITICAL,MEDIUM /usr/lib > /dev/null 2>&1 From 7d0afe5028a758118b0439b2a78e351cae4fff57 Mon Sep 17 00:00:00 2001 From: Amol Agrawal Date: Wed, 27 Apr 2022 16:43:39 +0000 Subject: [PATCH 9/9] add ruby vulns to trivyignore --- .trivyignore | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.trivyignore b/.trivyignore index 415220426..1b6a7090b 100644 --- a/.trivyignore +++ b/.trivyignore @@ -6,4 +6,12 @@ CVE-2022-24450 CVE-2022-26652 CVE-2019-3826 CVE-2022-27191 -CVE-2021-42836 \ No newline at end of file +CVE-2021-42836 + +# ruby in /usr/lib +CVE-2020-36327 +CVE-2021-43809 +CVE-2021-41816 +CVE-2021-41819 +CVE-2021-31799 +CVE-2021-28965 \ No newline at end of file