Support per-LTS branch .trivyignore files
sheidkamp opened this issue · comments
Gloo Edge Product
Open Source
Gloo Edge Version
current
Is your feature request related to a problem? Please describe.
When addressing CVEs on older LTS branches, we sometimes have to leave CVEs unadressed or introduce new CVEs as we fix older ones due to lack of support for a full set of fixes constrained by the kubernetes version.
The mechanism we have to handle this currently is the .trivyignore
file. When the scheduled security scan runs in CI, it uses the same .trivyignore
file from the main branch for all security scans. This means that by adding a CVE to the .trivyignore
file, it will be ignored in scans for all versions, including versions where the CVE has been addressed, potentially masking regressions.
What we would like is the ability to define the CVEs to ignore on a per-version basis.
Describe the solution you'd like
There are two approached to this to be considered:
- Maintain the CVE lists/
.trivyignore
files in each branch- Similar to how we use min/max versions in
solo-projects
test matrix - One CI job/step per LTS which checks out that branch's code
- Clean to maintain, each branch is documenting
- UX - aligns with development task of "build this image and scan for vulnerabilities" on single branch.
- Similar to how we use min/max versions in
- Maintain a CVE list per LTS branch in main
- Update jobs to use a different
.trivyignore
file per version, all stored on main - UX - aligns with command line task of "scan multiple versions at once"
- Have to deprecate versions, stale files persist in LTS branches
- Update jobs to use a different
Describe alternatives you've considered
No response
Additional Context
Both the OSS and EE scans are run from the OSS ci and use the OSS .trivyignore
file.
Current components:
CI from https://github.com/solo-io/gloo/blob/main/.github/workflows/trivy-analysis-scheduled.yaml
- Runs on main
- Calls
make run-security-scan
andmake publish-security-scan
with MIN_SCANNED_VERSION and other ENV variables set - Calls one job, which does all scans
Makefile https://github.com/solo-io/gloo/blob/main/Makefile#L1203
- run-security-scan
- Sets MIN_SCANNED_VERSION and calls
go run docs/cmd/generate_docs.go run-security-scan
- Runs for gloo and glooe image repositories.
- Sets MIN_SCANNED_VERSION and calls
- publish-security-scan
- Copies files generated by run-security-scan to bucket
- scan-version https://github.com/solo-io/gloo/blob/main/Makefile#L1210
- unused in the current process, but worth noting
generate_docs - https://github.com/solo-io/gloo/blob/main/docs/cmd/generate_docs.go#L116
- Uses https://github.com/solo-io/gloo/blob/main/docs/cmd/generate_docs.go#L317
- Generates
SecurityScanRepo
struct(s) to pass as arguments for goutils- Array, but only one of oss/enterprise
VersionConstraint
field controls what gets scanned
go-utils https://github.com/solo-io/go-utils/blob/main/securityscanutils/securityscan.go#L124
Generates scans