-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Add ignore config by CUE * Add ignore logic * Rename fields for ignroe list * Refactor filepath cleaning in LoadConfigsFromDir function * Update Config field in Scan struct to store a string * Update IgnoreVuln struct with Comment field * Add expiration date check for ignoring vulnerabilities * Refactor IsActive method for IgnoreVuln in config.go
- Loading branch information
1 parent
08b2643
commit c87d7a0
Showing
17 changed files
with
546 additions
and
14 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -64,6 +64,42 @@ To run Octovy, set the following environment variables: | |
- `OCTOVY_SENTRY_DSN`: The DSN for Sentry | ||
- `OCTOVY_SENTRY_ENV`: The environment for Sentry | ||
|
||
## Configuration | ||
|
||
### Ignore list | ||
|
||
The developer can ignore specific vulnerabilities by adding them to the ignore list. The config file is written in CUE. See CUE definition in [pkg/domain/model/schema/ignore.cue](pkg/domain/model/schema/ignore.cue). | ||
|
||
The config file should be placed in `.octovy` directory at the root of the repository. Octovy checks all files in the `.octovy` directory recursively and loads them. (e.g. `.octovy/ignore.cue`) | ||
|
||
The following is an example of the ignore list configuration: | ||
|
||
```cue | ||
package octovy | ||
IgnoreList: [ | ||
{ | ||
Target: "Gemfile.lock" | ||
Vulns: [ | ||
{ | ||
ID: "CVE-2020-8130" | ||
ExpiresAt: "2024-08-01T00:00:00Z" | ||
Comment: "This is not used" | ||
}, | ||
] | ||
}, | ||
] | ||
``` | ||
|
||
`package` name should be `octovy`. `IgnoreList` is a list of `Ignore` struct. | ||
|
||
- `Target` is the file path to ignore. That should be matched `Target` of trivy | ||
- `Vulns` is a list of `IgnoreVuln` struct. | ||
- `ID` (required): the vulnerability ID to ignore. (e.g. `CVE-2022-2202`) | ||
- `ExpiresAt` (required): The expiration date of the ignore. It should be in RFC3339 format. (e.g. `2023-08-01T00:00:00`). The date must be in 90 days and if it's over 90 days, Octovy will ignore it. | ||
- `Comment` (optional): The developer's comment | ||
|
||
|
||
## License | ||
|
||
Octovy is licensed under the Apache License 2.0. Copyright 2023 Masayoshi Mizutani <[email protected]> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,55 @@ | ||
package logic | ||
|
||
import ( | ||
"time" | ||
|
||
"github.com/m-mizutani/octovy/pkg/domain/model" | ||
"github.com/m-mizutani/octovy/pkg/domain/model/trivy" | ||
) | ||
|
||
func FilterReport(oldReport *trivy.Report, cfg *model.Config, now time.Time) *trivy.Report { | ||
results := FilterResults(oldReport.Results, cfg, now) | ||
newReport := *oldReport | ||
newReport.Results = results | ||
return &newReport | ||
} | ||
|
||
func FilterResults(results trivy.Results, cfg *model.Config, now time.Time) trivy.Results { | ||
ignoreMap := make(map[string]map[string]struct{}) | ||
for _, target := range cfg.IgnoreList { | ||
if _, ok := ignoreMap[target.Target]; !ok { | ||
ignoreMap[target.Target] = make(map[string]struct{}) | ||
} | ||
|
||
for _, vuln := range target.Vulns { | ||
if vuln.IsActive(now) { | ||
continue | ||
} | ||
ignoreMap[target.Target][vuln.ID] = struct{}{} | ||
} | ||
} | ||
|
||
var filtered trivy.Results | ||
for _, result := range results { | ||
newResult := result | ||
ignoreVulns, ok := ignoreMap[result.Target] | ||
if !ok { | ||
filtered = append(filtered, newResult) | ||
continue | ||
} | ||
newResult.Vulnerabilities = nil | ||
|
||
for _, vuln := range result.Vulnerabilities { | ||
if _, ok := ignoreVulns[vuln.VulnerabilityID]; ok { | ||
continue | ||
} | ||
|
||
newResult.Vulnerabilities = append(newResult.Vulnerabilities, vuln) | ||
} | ||
|
||
if len(newResult.Vulnerabilities) > 0 { | ||
filtered = append(filtered, newResult) | ||
} | ||
} | ||
return filtered | ||
} |
Oops, something went wrong.