Skip to content

Commit

Permalink
Various Trivy whitelist fixes
Browse files Browse the repository at this point in the history 
Substitute underscore in imagename for consistent formatting in
whitelists file and remove unnecessary return code checking
  • Loading branch information
@assumptionsandg
assumptionsandg committed Jun 10, 2024
1 parent 9a596e6 commit a1997c5
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 6 deletions.
2 changes: 1 addition & 1 deletion etc/kayobe/trivy/allowed-vulnerabilities.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@
# keystone_allowed_vulnerabilities:
# - CVE-2022-2447
#
# barbican-api_allowed_vulnerabilities:
# barbican_api_allowed_vulnerabilities:
# - CVE-2023-31047

global_allowed_vulnerabilities:
Expand Down
7 changes: 2 additions & 5 deletions tools/scan-images.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,18 +34,15 @@ touch image-scan-output/clean-images.txt image-scan-output/dirty-images.txt
# generate a csv summary
for image in $images; do
filename=$(basename $image | sed 's/:/\./g')
imagename=$(echo $filename | cut -d "." -f 1)
imagename=$(echo $filename | cut -d "." -f 1 | sed 's/-/_/g')
global_vulnerabilities=$(yq .global_allowed_vulnerabilities[] src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
image_vulnerabilities=$(yq .$imagename'_allowed_vulnerabilities[]' src/kayobe-config/etc/kayobe/trivy/allowed-vulnerabilities.yml)
rc=$?
touch .trivyignore
for vulnerability in $global_vulnerabilities; do
echo $vulnerability >> .trivyignore
done
for vulnerability in $image_vulnerabilities; do
if [ $rc -eq 0 ]; then
echo $vulnerability >> .trivyignore
fi
echo $vulnerability >> .trivyignore
done
if $(trivy image \
--quiet \
Expand Down

0 comments on commit a1997c5

Please sign in to comment.