-
Notifications
You must be signed in to change notification settings - Fork 2.3k
/
basic.rego
76 lines (58 loc) · 1.67 KB
/
basic.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
package trivy
import data.lib.trivy
default ignore = false
ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
ignore_severities := {"LOW", "MEDIUM"}
nvd_v3_vector = v {
v := input.CVSS.nvd.V3Vector
}
redhat_v3_vector = v {
v := input.CVSS.redhat.V3Vector
}
ignore {
input.PkgName == ignore_pkgs[_]
}
ignore {
input.Severity == ignore_severities[_]
}
# Ignore a vulnerability which is not remotely exploitable
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.AttackVector != "Network"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.AttackVector != "Network"
}
# Ignore a vulnerability which requires high privilege
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.PrivilegesRequired == "High"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.PrivilegesRequired == "High"
}
# Ignore a vulnerability which requires user interaction
ignore {
nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
nvd_cvss_vector.UserInteraction == "Required"
redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
redhat_cvss_vector.UserInteraction == "Required"
}
# Ignore CSRF
ignore {
# https://cwe.mitre.org/data/definitions/352.html
input.CweIDs[_] == "CWE-352"
}
# Ignore a license
ignore {
input.PkgName == "alpine-baselayout"
input.Name == "GPL-2.0"
}
# Ignore loose file license
ignore {
input.Name == "AGPL-3.0"
input.FilePath == "/usr/share/grafana/LICENSE"
}
# Ignore secret
ignore {
input.RuleID == "aws-access-key-id"
input.Match == "AWS_ACCESS_KEY_ID=\"********************\""
}