Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

--ignore-policy unavailable in config target #3490

Closed
itaysk opened this issue Jan 27, 2023 · 8 comments · Fixed by #5359
Closed

--ignore-policy unavailable in config target #3490

itaysk opened this issue Jan 27, 2023 · 8 comments · Fixed by #5359
Assignees
@simar7
Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.47.0

Comments

@itaysk
Copy link
Contributor

itaysk commented Jan 27, 2023

Description

works:

trivy fs --security-checks config --ignore-policy ./p.rego .

doesn't work:

trivy config --ignore-policy ./p.rego .

What did you expect to happen?

able to ignore with rego policies in config scan

What happened instead?

error:

unknown flag: --ignore-policy

Output of run with -debug:

same

Output of trivy -v:

Version: 0.36.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2023-01-27 12:08:06.732856126 +0000 UTC
  NextUpdate: 2023-01-27 18:08:06.732855426 +0000 UTC
  DownloadedAt: 2023-01-27 14:18:11.663968 +0000 UTC

Additional details (base image name, container registry info...):
@itaysk itaysk added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Jan 27, 2023
@knqyf263 knqyf263 added kind/feature Categorizes issue or PR as related to a new feature. and removed kind/bug Categorizes issue or PR as related to a bug. labels Jan 28, 2023
@knqyf263
Copy link
Collaborator

--ignore-policy supports only vulnerabilities for now.
https://aquasecurity.github.io/trivy/v0.36/docs/vulnerability/examples/filter/#by-open-policy-agent

@itaysk
Copy link
Contributor Author

itaysk commented Jan 28, 2023
edited
Loading

I tried it with fs --security-checks config and it worked

@itaysk
Copy link
Contributor Author

itaysk commented Jan 28, 2023 

❯ cat ignore.rego   
package trivy
default ignore=true
ignore=false {
        input.AVDID == "AVD-AWS-0094"
}

❯ trivy fs /Users/itaysk/dev/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src --security-checks config --ignore-policy ./ignore.rego  -q           

main.yaml (cloudformation)

Tests: 13 (SUCCESSES: 4, FAILURES: 9, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

LOW: Bucket does not have a corresponding public access block.
═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
The "block public access" settings in S3 override individual policies that apply to a given bucket, meaning that all public access can be controlled in one central types for that bucket. It is therefore good practice to define these settings for each bucket in order to clearly define the public access that can be allowed for it.

See https://avd.aquasec.com/misconfig/avd-aws-0094
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 main.yaml:2-5
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   2 ┌   S3Bucket:
   3 │     Type: 'AWS::S3::Bucket'
   4 │     Properties:
   5 └       BucketName: public-bucket
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

❯ cat ignore.rego
package trivy
default ignore=true

❯ trivy fs /Users/itaysk/dev/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src --security-checks config --ignore-policy ./ignore.rego  -q

@itaysk
Copy link
Contributor Author

itaysk commented Jan 28, 2023

even tough it works, the exception seems wrong:

"Results": [
    {
      "Target": "main.yaml",
      "Class": "config",
      "Type": "cloudformation",
      "MisconfSummary": {
        "Successes": 4,
        "Failures": 9,
        "Exceptions": 0
      },

@anderseknert
Copy link

Thanks for looking into this. I think I just discovered this the hard way myself 😅 Also, there seems to be a lot of places in the docs (and the examples) mentioning the --policy flag, but that one does not seem to exist? I see other flags to do this though, like --config-policy so presumably that one has been replaced?

Also, as a Trivy n00b, it's not clear to me what the difference is between a "ignore policy" and and "exception policy". But that might be out of topic :)

@itaysk itaysk added this to the v0.38.0 milestone Feb 7, 2023
@giorod3 giorod3 self-assigned this Feb 7, 2023
@itaysk
Copy link
Contributor Author

itaysk commented Feb 11, 2023

@anderseknert about --policy flag, @simar7 or @giorod3 can comment.
about exception vs ignore, you're right, we'll fix it with #3486 (comment)

@knqyf263
Copy link
Collaborator

I tried it with fs --security-checks config and it worked

I added the support... I didn't remember it at all 😄

trivy/pkg/result/filter.go

Lines 195 to 207 in 6cac6c9

// Misconfigurations
var filteredMisconfs []types.DetectedMisconfiguration
for _, misconf := range misconfs {
ignored, err := evaluate(ctx, query, misconf)
if err != nil {
return nil, nil, err
}
if ignored {
continue
}
filteredMisconfs = append(filteredMisconfs, misconf)
}
return filteredVulns, filteredMisconfs, nil

@knqyf263 knqyf263 modified the milestones: v0.38.0, v0.39.0 Mar 1, 2023
@knqyf263 knqyf263 modified the milestones: v0.39.0, v0.40.0 Apr 3, 2023
@itaysk itaysk mentioned this issue Apr 11, 2023
Closed
@knqyf263 knqyf263 modified the milestones: v0.41.0, v0.42.0 May 3, 2023
@AnaisUrlichs AnaisUrlichs assigned AnaisUrlichs and unassigned giorod3 May 23, 2023
AnaisUrlichs added a commit to AnaisUrlichs/trivy that referenced this issue May 23, 2023
@AnaisUrlichs
adding further documentation for aquasecurity#3490
d5ebeca 
Signed-off-by: AnaisUrlichs <[email protected]>
@AnaisUrlichs AnaisUrlichs mentioned this issue May 23, 2023
Closed
@itaysk itaysk assigned simar7 and unassigned AnaisUrlichs Jun 1, 2023
@itaysk itaysk modified the milestones: v0.42.0, v0.43.0 Jun 1, 2023
@knqyf263 knqyf263 removed this from the v0.43.0 milestone Jul 2, 2023
@simar7
Copy link
Member

simar7 commented Aug 9, 2023
edited
Loading

even tough it works, the exception seems wrong:

"Results": [
    {
      "Target": "main.yaml",
      "Class": "config",
      "Type": "cloudformation",
      "MisconfSummary": {
        "Successes": 4,
        "Failures": 9,
        "Exceptions": 0
      },

Revisiting this thread, can someone remind me of the expected behavior here? Below is what I see with the latest release of Trivy

cat ignore.rego 
package trivy
default ignore=true
ignore=false {
        input.AVDID == "avd-aws-0094"
}

trivy fs ~/repos/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src/ --security-checks config --ignore-policy ./ignore.rego  --format json
2023-08-08T23:22:33.374-0600    WARN    '--security-checks' is deprecated. Use '--scanners' instead.
2023-08-08T23:22:33.389-0600    INFO    Misconfiguration scanning is enabled
2023-08-08T23:22:33.699-0600    INFO    Detected config files: 1
{
  "SchemaVersion": 2,
  "ArtifactName": "/Users/simarpreetsingh/repos/trivy/pkg/fanal/artifact/local/testdata/misconfig/cloudformation/passed/src",
  "ArtifactType": "filesystem",
  "Metadata": {
    "ImageConfig": {
      "architecture": "",
      "created": "0001-01-01T00:00:00Z",
      "os": "",
      "rootfs": {
        "type": "",
        "diff_ids": null
      },
      "config": {}
    }
  },
  "Results": [
    {
      "Target": "main.yaml",
      "Class": "config",
      "Type": "cloudformation",
      "MisconfSummary": {
        "Successes": 2,
        "Failures": 9,
        "Exceptions": 0
      }
    }
  ]
}

Below is what I have able to gather from the discussion so far:

  1. We need to expose --ignore-policy directly with the trivy config flag. Today it is only exposed as trivy fs --scanners config --ignore-policy.
  2. We need to add the list of results that got "ignored" via the --ignore-policy into the Exceptions field count.

Please correct me if I'm wrong.

@simar7 simar7 mentioned this issue Oct 11, 2023
Merged
6 tasks
@simar7 simar7 added this to the v0.47.0 milestone Oct 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@simar7 simar7

Labels
kind/feature Categorizes issue or PR as related to a new feature. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.47.0
Development

Successfully merging a pull request may close this issue.

feat(misconf): Support --ignore-policy in config scans aquasecurity/trivy
6 participants
@anderseknert @itaysk @simar7 @knqyf263 @AnaisUrlichs @giorod3