From de2c9199d9a08ab3dfd473c472110fc41a0412c7 Mon Sep 17 00:00:00 2001 From: pete-j-g <66006493+pete-j-g@users.noreply.github.com> Date: Fri, 31 May 2024 14:37:35 +0100 Subject: [PATCH] NIT-1304 ignore python vulnerabilities from ansible_collections (#314) --- .github/workflows/ansible-aws-image-build.yml | 14 ++++++++----- docker/delius-ansible-aws/.trivyignore | 20 +++++++++++++++++++ docker/delius-ansible-aws/Dockerfile | 1 - 3 files changed, 29 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ansible-aws-image-build.yml b/.github/workflows/ansible-aws-image-build.yml index a7e59e6d..7fa50fe4 100644 --- a/.github/workflows/ansible-aws-image-build.yml +++ b/.github/workflows/ansible-aws-image-build.yml @@ -67,6 +67,11 @@ jobs: contents: read runs-on: ubuntu-latest steps: + - name: Checkout Code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + - name: Download artifact uses: actions/download-artifact@v4 with: @@ -86,7 +91,7 @@ jobs: image-ref: 'hmpps-delius-operational-automation:${{ github.sha }}' exit-code: '1' scan-type: 'image' - trivyignores: '.trivyignore' + trivyignores: 'docker/delius-ansible-aws/.trivyignore' ignore-unfixed: 'true' output: 'trivy-results.sarif' - name: Upload Trivy scan results to GitHub Security tab @@ -120,18 +125,18 @@ jobs: TAG_CONTEXT: repo # Making this default visible PRERELEASE: ${{ github.base_ref != 'refs/heads/main' }} PRERELEASE_SUFFIX: ${{ github.base_ref }} # Branch name - + - name: Create safe tag id: safe_tag run: | echo "SAFE_TAG=$(echo ${{ steps.bump-version.outputs.new_tag }} | sed 's/[^a-zA-Z0-9.]/-/g')" >> $GITHUB_OUTPUT - + - name: Download Artifact uses: actions/download-artifact@v4 with: name: ansible-aws-image path: /tmp - + - name: Load and retag image for publish run: | docker load --input /tmp/ansible-aws-image.tar @@ -147,4 +152,3 @@ jobs: - name: Publish image run: docker push ghcr.io/ministryofjustice/hmpps-delius-operational-automation:${{ steps.safe_tag.outputs.SAFE_TAG }} - \ No newline at end of file diff --git a/docker/delius-ansible-aws/.trivyignore b/docker/delius-ansible-aws/.trivyignore index 0e8a9578..40f6dc34 100644 --- a/docker/delius-ansible-aws/.trivyignore +++ b/docker/delius-ansible-aws/.trivyignore @@ -1 +1,21 @@ # Trivy Ignore file https://aquasecurity.github.io/trivy/v0.51/docs/configuration/filtering/ +# Ignore old python vulnerabilities from ansible_collections +CVE-2022-40897 +CVE-2022-40898 + +## TODO: use yaml formatted trivyignore +## Vulnerabilites above should only be ignored for certain paths. Trivy supports granular rules through yaml formatted (.trivyignore.yaml) ignore files +## However, the current version of the trivy-action ignores the yaml ignore file: +## https://github.com/aquasecurity/trivy-action/issues/284 +## https://github.com/aquasecurity/trivy-action/issues/348 +# vulnerabilities: +# - id: CVE-2022-40897 +# paths: +# - usr/local/lib/python3.12/site-packages/ansible_collections/kaytus/ksmanage/venv/Lib/site-packages/setuptools-57.0.0.dist-info/METADATA +# - usr/local/lib/python3.12/site-packages/ansible_collections/inspur/ispim/venv/Lib/site-packages/setuptools-57.0.0.dist-info/METADATA +# +# - id: CVE-2022-40898 +# paths: +# - usr/local/lib/python3.12/site-packages/ansible_collections/kaytus/ksmanage/venv/Lib/site-packages/wheel-0.36.2.dist-info/METADATA +# - usr/local/lib/python3.12/site-packages/ansible_collections/inspur/ispim/venv/Lib/site-packages/wheel-0.36.2.dist-info/METADATA + diff --git a/docker/delius-ansible-aws/Dockerfile b/docker/delius-ansible-aws/Dockerfile index 5dc49ca3..4a0443cd 100644 --- a/docker/delius-ansible-aws/Dockerfile +++ b/docker/delius-ansible-aws/Dockerfile @@ -16,7 +16,6 @@ RUN if curl "https://s3.amazonaws.com/session-manager-downloads/plugin/latest/ub dpkg -i session-manager-plugin.deb; \ fi - # Pip COPY requirements.txt requirements.yml ./ RUN pip install -U pip && pip install --upgrade -r requirements.txt \