ignore a CVE for trivy scans

2026-01-07 05:57:02 +00:00 · 2024-10-31 11:06:03 -07:00
parent 9f58db799f
commit 027ac23760
2 changed files with 19 additions and 5 deletions
--- a/pipelines/main/pipeline.yml
+++ b/pipelines/main/pipeline.yml
@@ -7,6 +7,14 @@ display:

 meta:

+  trivy_ignores: &trivy_ignores
+    IGNORE_VULNERABILITY_IDS: |
+      # Medium CVE in gopkg.in/square/go-jose.v2. That project is archived, so they will never fix this.
+      # That is an indirect dependency of our project, which we inherit from our direct dep of k8s.io/apiserver@v0.31.2.
+      # However, the Kubernetes maintainers say that k8s is not impacted and they won't upgrade to v3.
+      # See https://github.com/kubernetes/kubernetes/issues/128039. So we will ignore this for now.
+      CVE-2024-28180
+
  # GKE account info and which zone the clusters should be created in and deleted from.
  gke_account_params: &gke_account_params
    CLUSTER_ZONE: us-central1-c
@@ -774,11 +782,7 @@ jobs:
        file: pinniped-ci/pipelines/shared-tasks/scan-image-trivy/task.yml
        params:
          GITHUB_TOKEN: ((ci-bot-access-token-with-read-user-permission))
-          IGNORE_VULNERABILITY_IDS: |
-            # Trivy thinks this is a HIGH CVE in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.
-            # That is an indirect dependency of our project, which we inherit from our direct dep k8s.io/apiserver.
-            # Therefore, we will inherit a solution for this CVE from k8s.io/apiserver when they fix it. Ignore it for now.
-            CVE-2023-47108
+          <<: *trivy_ignores
        <<: *notify_on_failure

  - name: integration-test-1.21
--- a/pipelines/security-scan/pipeline.yml
+++ b/pipelines/security-scan/pipeline.yml
@@ -16,6 +16,14 @@ meta:
          Job `${BUILD_PIPELINE_NAME}/${BUILD_JOB_NAME}` *FAILED* :(
          ${ATC_EXTERNAL_URL}/teams/${BUILD_TEAM_NAME}/pipelines/${BUILD_PIPELINE_NAME}/jobs/${BUILD_JOB_NAME}/builds/${BUILD_NAME}

+  trivy_ignores: &trivy_ignores
+    IGNORE_VULNERABILITY_IDS: |
+      # Medium CVE in gopkg.in/square/go-jose.v2. That project is archived, so they will never fix this.
+      # That is an indirect dependency of our project, which we inherit from our direct dep of k8s.io/apiserver@v0.31.2.
+      # However, the Kubernetes maintainers say that k8s is not impacted and they won't upgrade to v3.
+      # See https://github.com/kubernetes/kubernetes/issues/128039. So we will ignore this for now.
+      CVE-2024-28180
+
 resource_types:

  # Try using the latest version of the registry-image resource because of this problem:
@@ -198,6 +206,7 @@ jobs:
        file: pinniped-ci/pipelines/shared-tasks/scan-image-trivy/task.yml
        params:
          GITHUB_TOKEN: ((ci-bot-access-token-with-read-user-permission))
+          <<: *trivy_ignores
        input_mapping:
          image: pinniped-latest-release-image

@@ -216,6 +225,7 @@ jobs:
        file: pinniped-ci/pipelines/shared-tasks/scan-image-trivy/task.yml
        params:
          GITHUB_TOKEN: ((ci-bot-access-token-with-read-user-permission))
+          <<: *trivy_ignores
        input_mapping:
          image: pinniped-latest-main-image