Skip to content

Commit 076eac2

Browse files
ChristofferNissenChristofferNissen
committed
fix trivy ignore unfixed homebrewed solution by using trivy lib filter function
1 parent fe0978a commit 076eac2

File tree

2 files changed

+25
-35
lines changed

2 files changed

+25
-35
lines changed

pkg/trivy/main.go

Lines changed: 24 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,14 @@ import (
1111
image2 "github.com/aquasecurity/trivy/pkg/fanal/artifact/image"
1212
"github.com/aquasecurity/trivy/pkg/fanal/image"
1313
ftypes "github.com/aquasecurity/trivy/pkg/fanal/types"
14+
"github.com/aquasecurity/trivy/pkg/result"
1415
"github.com/aquasecurity/trivy/pkg/rpc/client"
1516
"github.com/aquasecurity/trivy/pkg/scanner"
1617
"github.com/aquasecurity/trivy/pkg/types"
1718
v1 "github.com/google/go-containerregistry/pkg/v1"
19+
"github.com/samber/lo"
20+
21+
dbTypes "github.com/aquasecurity/trivy-db/pkg/types"
1822

1923
_ "modernc.org/sqlite" // sqlite driver for RPM DB and Java DB
2024
)
@@ -73,13 +77,11 @@ func (opts ScanOption) Scan(reference string) (types.Report, error) {
7377
analyzer.TypeSbtLock,
7478
},
7579
DisabledHandlers: nil,
76-
// SkipFiles: nil,
77-
// SkipDirs: nil,
78-
FilePatterns: nil,
79-
NoProgress: false,
80-
Insecure: opts.Insecure,
81-
SBOMSources: nil,
82-
RekorURL: "https://rekor.sigstore.dev",
80+
FilePatterns: nil,
81+
NoProgress: false,
82+
Insecure: opts.Insecure,
83+
SBOMSources: nil,
84+
RekorURL: "https://rekor.sigstore.dev",
8385
ImageOption: ftypes.ImageOptions{
8486
RegistryOptions: ftypes.RegistryOptions{
8587
Insecure: opts.Insecure,
@@ -112,35 +114,23 @@ func (opts ScanOption) Scan(reference string) (types.Report, error) {
112114
}
113115

114116
if opts.IgnoreUnfixed {
115-
ignoreUnfixed(&report)
117+
ignoreStatuses := lo.FilterMap(dbTypes.Statuses, func(s string, _ int) (dbTypes.Status, bool) {
118+
fixed := dbTypes.StatusFixed
119+
if s == fixed.String() {
120+
return 0, false
121+
}
122+
return dbTypes.NewStatus(s), true
123+
})
124+
125+
result.Filter(context.TODO(), report, result.FilterOptions{
126+
Severities: []dbTypes.Severity{
127+
dbTypes.SeverityCritical,
128+
dbTypes.SeverityHigh,
129+
},
130+
IgnoreStatuses: ignoreStatuses,
131+
})
116132
}
117133

118134
return report, nil
119135

120136
}
121-
122-
func ignoreUnfixed(report *types.Report) {
123-
124-
// Homebrewed ignore unfixed
125-
for _, r := range report.Results {
126-
switch r.Class {
127-
case "ok-pkgs":
128-
vulns := []types.DetectedVulnerability{}
129-
for _, v := range r.Vulnerabilities {
130-
if v.FixedVersion != "" {
131-
// fixed
132-
vulns = append(vulns, v)
133-
}
134-
}
135-
136-
count := len(r.Vulnerabilities) - len(vulns)
137-
if count == 0 {
138-
slog.Debug("removed unfixed vulnerabilities from result", slog.Int("count", count), slog.String("image", report.Metadata.ImageID))
139-
} else {
140-
slog.Info("removed unfixed vulnerabilities from result", slog.Int("count", count), slog.String("image", report.Metadata.ImageID))
141-
}
142-
143-
r.Vulnerabilities = vulns
144-
}
145-
}
146-
}

pkg/trivy/util.go

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,7 +7,7 @@ import (
77
func ContainsOsPkgs(rs types.Results) bool {
88
for _, r := range rs {
99
switch r.Class {
10-
case "os-pkgs":
10+
case types.ClassOSPkg:
1111
if !r.IsEmpty() {
1212
return true
1313
}

0 commit comments

Comments
 (0)