Support per-LTS branch .trivyignore files

Question

Support per-LTS branch .trivyignore files

sheidkamp opened this issue 2 months ago · comments

Seth Heidkamp commented 2 months ago

Gloo Edge Product

Open Source

Gloo Edge Version

current

Is your feature request related to a problem? Please describe.

When addressing CVEs on older LTS branches, we sometimes have to leave CVEs unadressed or introduce new CVEs as we fix older ones due to lack of support for a full set of fixes constrained by the kubernetes version.

For example: #9452 and #9451

The mechanism we have to handle this currently is the .trivyignore file. When the scheduled security scan runs in CI, it uses the same .trivyignore file from the main branch for all security scans. This means that by adding a CVE to the .trivyignore file, it will be ignored in scans for all versions, including versions where the CVE has been addressed, potentially masking regressions.

What we would like is the ability to define the CVEs to ignore on a per-version basis.

Describe the solution you'd like

There are two approached to this to be considered:

Maintain the CVE lists/.trivyignore files in each branch
- Similar to how we use min/max versions in solo-projects test matrix
- One CI job/step per LTS which checks out that branch's code
- Clean to maintain, each branch is documenting
- UX - aligns with development task of "build this image and scan for vulnerabilities" on single branch.
Maintain a CVE list per LTS branch in main
- Update jobs to use a different .trivyignore file per version, all stored on main
- UX - aligns with command line task of "scan multiple versions at once"
- Have to deprecate versions, stale files persist in LTS branches

Describe alternatives you've considered

No response

Additional Context

Both the OSS and EE scans are run from the OSS ci and use the OSS .trivyignore file.

Current components:

CI from https://github.com/solo-io/gloo/blob/main/.github/workflows/trivy-analysis-scheduled.yaml

Runs on main
Calls make run-security-scan and make publish-security-scan with MIN_SCANNED_VERSION and other ENV variables set
Calls one job, which does all scans

Makefile https://github.com/solo-io/gloo/blob/main/Makefile#L1203

run-security-scan
- Sets MIN_SCANNED_VERSION and calls go run docs/cmd/generate_docs.go run-security-scan
- Runs for gloo and glooe image repositories.
publish-security-scan
- Copies files generated by run-security-scan to bucket
scan-version https://github.com/solo-io/gloo/blob/main/Makefile#L1210
- unused in the current process, but worth noting

generate_docs - https://github.com/solo-io/gloo/blob/main/docs/cmd/generate_docs.go#L116

Uses https://github.com/solo-io/gloo/blob/main/docs/cmd/generate_docs.go#L317
Generates SecurityScanRepo struct(s) to pass as arguments for goutils
- Array, but only one of oss/enterprise
- VersionConstraint field controls what gets scanned

go-utils https://github.com/solo-io/go-utils/blob/main/securityscanutils/securityscan.go#L124

Generates scans