[BUG] Current vulnerability check is giving false positives

[simskij]

Problem

The current vulnerability check utilized by the oci-factory is giving a lot of false positives, mainly as it does not check whether the code that contains the vulnerability is ever imported or called.

What happens at the moment is that we, every time a vulnerability is flagged, have to run govulncheck against the project to see whether the CVE is actually affecting us or not and add it to trivyignore if it isn't. A downside of this is that if the upstream ever starts to include the vulnerable code, it is already ignored and won't be flagged.

Additionally, we have no way of flagging trivyignores for specific rock versions - only globally, which is a huge drawback.

Suggested solution

This requires a two step solution:

• trivyignore files per rock version, or a way to pin ignores to version ranges.
• When a go project is detected, govulncheck should be run, either as well or in place of trivy, and anything not present in both cve lists get excluded.

[cjdcordeiro]

This is definitely interesting and should be addressed (ping @zhijie-yang and @alesancor1)

Here are my 2 cents:

• we should soon be moving to scanning rocks via our own internal SSDLC scanning endpoint, instead of Trivy
  • this means that keep relying on .trivyignore is not gonna help much
• having CVE "ignores" per rock version is a good idea. I think this is easily achievable in a tool-agnostic way. @zhijie-yang @alesancor1 what about adding a new YAML field to image.yaml, per image, allowing Maintainers to provide a list of ignored CVEs , that then our CI parses and compares with the output of the CVE scan (independently of the tool being used)

As a final note, we should also consider the implications of "ignoring a CVE". We ask Maintainers to justify why a CVE is being ignores, but from an SSDLC standpoint, we gotta understand what policies we should apply to such ignored CVEs, and potentially add the capability for our scanning service endpoint to accept and record these ignores ...TBD