From 13c45ceeffb2adb5465d8b0338931c87a08f9635 Mon Sep 17 00:00:00 2001 From: rajith Date: Tue, 11 Feb 2025 12:15:15 +0530 Subject: [PATCH 1/7] fixing trivy issue --- .github/workflows/trivy.yml | 34 +++++++++++++++++++++++++++++++--- .trivyignore.yaml | 17 +++++++++++++++++ 2 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 .trivyignore.yaml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 5322b6faf3..15f7b2db83 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -27,7 +27,7 @@ jobs: docker build --pull -t docker.io/securefederatedai/openfl:${{ github.sha }} -f openfl-docker/Dockerfile.base . - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.29.0 with: image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}' format: 'sarif' @@ -52,9 +52,16 @@ jobs: --ignore-unfixed \ --vuln-type os,library \ --severity CRITICAL,HIGH,MEDIUM,LOW \ + --ignorefile .trivyignore.yaml \ --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \ . + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Code Vulnerability Scan Results uses: actions/upload-artifact@v4 with: @@ -62,7 +69,7 @@ jobs: path: trivy-code-results.json - name: Run Trivy vulnerability scanner for Docker image (JSON Output) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.29.0 with: image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}' format: 'json' @@ -71,9 +78,16 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW' + ignorefile: '.trivyignore.yaml' env: TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Docker Vulnerability Scan uses: actions/upload-artifact@v4 with: @@ -88,9 +102,16 @@ jobs: --ignore-unfixed \ --vuln-type os,library \ --severity CRITICAL,HIGH,MEDIUM,LOW \ + --ignorefile .trivyignore.yaml \ --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \ . + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Code Vulnerability Scan Results uses: actions/upload-artifact@v4 with: @@ -98,7 +119,7 @@ jobs: path: trivy-code-spdx-results.json - name: Run Trivy vulnerability scanner for Docker image (SPDX-JSON Output) - uses: aquasecurity/trivy-action@0.28.0 + uses: aquasecurity/trivy-action@0.29.0 with: image-ref: 'docker.io/securefederatedai/openfl:${{ github.sha }}' format: 'spdx-json' @@ -107,9 +128,16 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW' + ignorefile: '.trivyignore.yaml' env: TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Docker Vulnerability Scan uses: actions/upload-artifact@v4 with: diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000000..faca8e3024 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,17 @@ +# This file is used to suppress both: +# * Trivy vulnerability scans (under the 'vulnerabilities' section). +# * Trivy's linting warnings (under the 'misconfigurations' section). +# For more information about the Trivy Ignore YAML file, please refer to: +# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml +# Justification should be included above each suppression group. + +######################## Trivy CVE supressions ######################## +vulnerabilities: + # * Relevant packages:: coreutils, gpgv, libc-bin, libc6, libgcrypt20, libncurses6, libncursesw6, libpcre3, libsystemd0, + # libtinfo6, libudev1, locales, login, ncurses-base, ncurses-bin, passwd, gcc-12-base, libgcc-s1, libpam-modules, libssl3 + # libpam-modules-bin, libpam-runtime, libpcre2-8-0, libzstd1 + # * These packages are part of Intel's latest official Ubuntu base image. + # * We do not install it as part of our Dockerfile. + # * It is expected to be resolved when moving to a different (lighter) distribution or upgrading to a newer Ubuntu version. + - id: CVE-2025-0395 + From f1f8c09d67bd17e80793b38f1ed8d46cb2ae4de1 Mon Sep 17 00:00:00 2001 From: rajith Date: Tue, 11 Feb 2025 12:26:07 +0530 Subject: [PATCH 2/7] updated description for trivyignore.yaml --- .trivyignore.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index faca8e3024..53c726fe89 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -7,11 +7,7 @@ ######################## Trivy CVE supressions ######################## vulnerabilities: - # * Relevant packages:: coreutils, gpgv, libc-bin, libc6, libgcrypt20, libncurses6, libncursesw6, libpcre3, libsystemd0, - # libtinfo6, libudev1, locales, login, ncurses-base, ncurses-bin, passwd, gcc-12-base, libgcc-s1, libpam-modules, libssl3 - # libpam-modules-bin, libpam-runtime, libpcre2-8-0, libzstd1 + # * Relevant packages:: libc-bin # * These packages are part of Intel's latest official Ubuntu base image. - # * We do not install it as part of our Dockerfile. - # * It is expected to be resolved when moving to a different (lighter) distribution or upgrading to a newer Ubuntu version. - id: CVE-2025-0395 From 4c69feb486090439821f6572f1db2a18ea975eeb Mon Sep 17 00:00:00 2001 From: rajith Date: Wed, 12 Feb 2025 14:20:05 +0530 Subject: [PATCH 3/7] removed trivyignore.yaml and adding plain text --- .trivyignore | 2 ++ .trivyignore.yaml | 13 ------------- 2 files changed, 2 insertions(+), 13 deletions(-) create mode 100644 .trivyignore delete mode 100644 .trivyignore.yaml diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000000..5bf578a27d --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# Accept the risk +CVE-2025-0395 diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 53c726fe89..0000000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# This file is used to suppress both: -# * Trivy vulnerability scans (under the 'vulnerabilities' section). -# * Trivy's linting warnings (under the 'misconfigurations' section). -# For more information about the Trivy Ignore YAML file, please refer to: -# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml -# Justification should be included above each suppression group. - -######################## Trivy CVE supressions ######################## -vulnerabilities: - # * Relevant packages:: libc-bin - # * These packages are part of Intel's latest official Ubuntu base image. - - id: CVE-2025-0395 - From ea83a5a2f4347e9ac86117330019033ea7f59fdc Mon Sep 17 00:00:00 2001 From: rajith Date: Tue, 11 Feb 2025 12:15:15 +0530 Subject: [PATCH 4/7] fixing trivy issue --- .github/workflows/trivy.yml | 28 ++++++++++++++++++++++++++++ .trivyignore.yaml | 17 +++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 .trivyignore.yaml diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index b3ab136f1f..7eb2080721 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -52,9 +52,16 @@ jobs: --ignore-unfixed \ --vuln-type os,library \ --severity CRITICAL,HIGH,MEDIUM,LOW \ + --ignorefile .trivyignore.yaml \ --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \ . + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Code Vulnerability Scan Results uses: actions/upload-artifact@v4 with: @@ -71,9 +78,16 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW' + ignorefile: '.trivyignore.yaml' env: TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Docker Vulnerability Scan uses: actions/upload-artifact@v4 with: @@ -88,9 +102,16 @@ jobs: --ignore-unfixed \ --vuln-type os,library \ --severity CRITICAL,HIGH,MEDIUM,LOW \ + --ignorefile .trivyignore.yaml \ --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \ . + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Code Vulnerability Scan Results uses: actions/upload-artifact@v4 with: @@ -107,9 +128,16 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW' + ignorefile: '.trivyignore.yaml' env: TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' + - name: Display Trivy Scan Results + if: failure() # Ensure this step runs regardless of the previous step's outcome + run: | + echo "Trivy Scan Results:" + cat trivy-docker-results.json | jq '.Results[] | select(.Vulnerabilities != null) | .Vulnerabilities[] | {VulnerabilityID, PkgName, InstalledVersion, Severity, Description}' + - name: Upload Docker Vulnerability Scan uses: actions/upload-artifact@v4 with: diff --git a/.trivyignore.yaml b/.trivyignore.yaml new file mode 100644 index 0000000000..faca8e3024 --- /dev/null +++ b/.trivyignore.yaml @@ -0,0 +1,17 @@ +# This file is used to suppress both: +# * Trivy vulnerability scans (under the 'vulnerabilities' section). +# * Trivy's linting warnings (under the 'misconfigurations' section). +# For more information about the Trivy Ignore YAML file, please refer to: +# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml +# Justification should be included above each suppression group. + +######################## Trivy CVE supressions ######################## +vulnerabilities: + # * Relevant packages:: coreutils, gpgv, libc-bin, libc6, libgcrypt20, libncurses6, libncursesw6, libpcre3, libsystemd0, + # libtinfo6, libudev1, locales, login, ncurses-base, ncurses-bin, passwd, gcc-12-base, libgcc-s1, libpam-modules, libssl3 + # libpam-modules-bin, libpam-runtime, libpcre2-8-0, libzstd1 + # * These packages are part of Intel's latest official Ubuntu base image. + # * We do not install it as part of our Dockerfile. + # * It is expected to be resolved when moving to a different (lighter) distribution or upgrading to a newer Ubuntu version. + - id: CVE-2025-0395 + From 98043ea39fa6923c7779884170e08ff4b5e8e31d Mon Sep 17 00:00:00 2001 From: rajith Date: Tue, 11 Feb 2025 12:26:07 +0530 Subject: [PATCH 5/7] updated description for trivyignore.yaml --- .trivyignore.yaml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/.trivyignore.yaml b/.trivyignore.yaml index faca8e3024..53c726fe89 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -7,11 +7,7 @@ ######################## Trivy CVE supressions ######################## vulnerabilities: - # * Relevant packages:: coreutils, gpgv, libc-bin, libc6, libgcrypt20, libncurses6, libncursesw6, libpcre3, libsystemd0, - # libtinfo6, libudev1, locales, login, ncurses-base, ncurses-bin, passwd, gcc-12-base, libgcc-s1, libpam-modules, libssl3 - # libpam-modules-bin, libpam-runtime, libpcre2-8-0, libzstd1 + # * Relevant packages:: libc-bin # * These packages are part of Intel's latest official Ubuntu base image. - # * We do not install it as part of our Dockerfile. - # * It is expected to be resolved when moving to a different (lighter) distribution or upgrading to a newer Ubuntu version. - id: CVE-2025-0395 From 6c15b81951690f2b15a8b3d91f75e4a3a8cbc095 Mon Sep 17 00:00:00 2001 From: rajith Date: Wed, 12 Feb 2025 14:20:05 +0530 Subject: [PATCH 6/7] removed trivyignore.yaml and adding plain text --- .trivyignore | 2 ++ .trivyignore.yaml | 13 ------------- 2 files changed, 2 insertions(+), 13 deletions(-) create mode 100644 .trivyignore delete mode 100644 .trivyignore.yaml diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000000..5bf578a27d --- /dev/null +++ b/.trivyignore @@ -0,0 +1,2 @@ +# Accept the risk +CVE-2025-0395 diff --git a/.trivyignore.yaml b/.trivyignore.yaml deleted file mode 100644 index 53c726fe89..0000000000 --- a/.trivyignore.yaml +++ /dev/null @@ -1,13 +0,0 @@ -# This file is used to suppress both: -# * Trivy vulnerability scans (under the 'vulnerabilities' section). -# * Trivy's linting warnings (under the 'misconfigurations' section). -# For more information about the Trivy Ignore YAML file, please refer to: -# https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#trivyignoreyaml -# Justification should be included above each suppression group. - -######################## Trivy CVE supressions ######################## -vulnerabilities: - # * Relevant packages:: libc-bin - # * These packages are part of Intel's latest official Ubuntu base image. - - id: CVE-2025-0395 - From 07edf1bb6ae6d6f6295161b317225672adcb575e Mon Sep 17 00:00:00 2001 From: rajith Date: Wed, 12 Feb 2025 14:30:30 +0530 Subject: [PATCH 7/7] including trivyignore --- .github/workflows/trivy.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 7eb2080721..e5fb413b7d 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -52,7 +52,6 @@ jobs: --ignore-unfixed \ --vuln-type os,library \ --severity CRITICAL,HIGH,MEDIUM,LOW \ - --ignorefile .trivyignore.yaml \ --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \ . @@ -78,7 +77,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - ignorefile: '.trivyignore.yaml' + trivyignores: '.trivyignore' env: TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' @@ -102,7 +101,6 @@ jobs: --ignore-unfixed \ --vuln-type os,library \ --severity CRITICAL,HIGH,MEDIUM,LOW \ - --ignorefile .trivyignore.yaml \ --db-repository 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db' \ . @@ -128,7 +126,7 @@ jobs: ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH,MEDIUM,LOW' - ignorefile: '.trivyignore.yaml' + trivyignores: '.trivyignore' env: TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db'