Nothing Special   »   [go: up one dir, main page]
Page MenuHomePhabricator
Create Task
Maniphest T367440

Attempt to condense trivy scanning output and avoid false positive exit code
Closed, ResolvedPublic
Actions

Description

After merging the initial implementation of our Gitlab pipeline container-scanning solution (T307523, MR), I noticed a couple of issues within our testing repository:

  1. The trivy output can be quite verbose when it finds vulnerabilities (example). Is there a way to make this less verbose? If not, I guess that's ok, as we can still get to the complete output (example), but that's a bit less ideal.
  2. The trivy job seems to be (potentially) returning successful exit codes even when it finds vulnerabilities (example pipeline, example job). I would imagine that if trivy finds any vulnerabilities, we'd want to return a positive exit code? Similar to how all of the other application security includes work?

Related Objects
Search...

Event Timeline

sbassett created this task.Jun 13 2024, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 13 2024, 4:09 PM
sbassett updated the task description. (Show Details)Jun 13 2024, 6:16 PM
mmartorana changed the task status from Open to In Progress.Jun 14 2024, 3:51 PM
mmartorana triaged this task as Medium priority.
sbassett added a parent task: T342177: [EPIC] Application Security Pipeline Components for Gitlab - Phase 2 Work.Jun 14 2024, 4:29 PM
sbassett added a comment.Jun 24 2024, 9:22 PM

Example of a template keeping track of cumulative bash error codes: https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/blob/7102fe1332c371f52d5e0800701d60a81a7e104c/php-security-checker/php-security-checker-ci.yml#L24-L70

CodeReviewBot added a project: Patch-For-Review.Jul 17 2024, 3:45 PM

mmartorana opened https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/38

Enable exit code for container scanning (trivy)

mmartorana added a comment.Jul 17 2024, 3:45 PM

Issue number 2 has now successfully been addressed.

As for issue number 1, I couldn't find an effective solution. One option could be to display only high and critical vulnerabilities. However, I prefer keeping the full table in its raw format. What are your thoughts?

sbassett added a comment.Jul 19 2024, 4:12 PM
In T367440#9990781, @mmartorana wrote:

As for issue number 1, I couldn't find an effective solution. One option could be to display only high and critical vulnerabilities. However, I prefer keeping the full table in its raw format. What are your thoughts?

If there's no simple approach for this issue, it's probably not worth the effort. The raw output does provide the complete scan results, so I suppose it will be incumbent upon us to train users of this security include.

CodeReviewBot added a comment.Jul 22 2024, 4:52 PM

sbassett merged https://gitlab.wikimedia.org/repos/security/gitlab-ci-security-templates/-/merge_requests/38

Enable exit code for container scanning (trivy)

sbassett closed this task as Resolved.Jul 22 2024, 4:53 PM
sbassett moved this task from Backlog to Done on the GitLab-Application-Security-Pipeline board.
sbassett moved this task from Incoming to Our Part Is Done on the Security-Team board.
Maintenance_bot removed a project: Patch-For-Review.Jul 22 2024, 5:31 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits