From 027ac237609425da13d6d9b3a3587e13b306116f Mon Sep 17 00:00:00 2001
From: Ryan Richard <richardry@vmware.com>
Date: Thu, 31 Oct 2024 11:06:03 -0700
Subject: [PATCH] ignore a CVE for trivy scans

---
 pipelines/main/pipeline.yml          | 14 +++++++++-----
 pipelines/security-scan/pipeline.yml | 10 ++++++++++
 2 files changed, 19 insertions(+), 5 deletions(-)

diff --git a/pipelines/main/pipeline.yml b/pipelines/main/pipeline.yml
index 31a148407..4022d2a6d 100644
--- a/pipelines/main/pipeline.yml
+++ b/pipelines/main/pipeline.yml
@@ -7,6 +7,14 @@ display:
 
 meta:
 
+  trivy_ignores: &trivy_ignores
+    IGNORE_VULNERABILITY_IDS: |
+      # Medium CVE in gopkg.in/square/go-jose.v2. That project is archived, so they will never fix this.
+      # That is an indirect dependency of our project, which we inherit from our direct dep of k8s.io/apiserver@v0.31.2.
+      # However, the Kubernetes maintainers say that k8s is not impacted and they won't upgrade to v3.
+      # See https://github.com/kubernetes/kubernetes/issues/128039. So we will ignore this for now.
+      CVE-2024-28180
+
   # GKE account info and which zone the clusters should be created in and deleted from.
   gke_account_params: &gke_account_params
     CLUSTER_ZONE: us-central1-c
@@ -774,11 +782,7 @@ jobs:
         file: pinniped-ci/pipelines/shared-tasks/scan-image-trivy/task.yml
         params:
           GITHUB_TOKEN: ((ci-bot-access-token-with-read-user-permission))
-          IGNORE_VULNERABILITY_IDS: |
-            # Trivy thinks this is a HIGH CVE in go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc.
-            # That is an indirect dependency of our project, which we inherit from our direct dep k8s.io/apiserver.
-            # Therefore, we will inherit a solution for this CVE from k8s.io/apiserver when they fix it. Ignore it for now.
-            CVE-2023-47108
+          <<: *trivy_ignores
         <<: *notify_on_failure
 
   - name: integration-test-1.21
diff --git a/pipelines/security-scan/pipeline.yml b/pipelines/security-scan/pipeline.yml
index 072ab88bf..23a936b8a 100644
--- a/pipelines/security-scan/pipeline.yml
+++ b/pipelines/security-scan/pipeline.yml
@@ -16,6 +16,14 @@ meta:
           Job `${BUILD_PIPELINE_NAME}/${BUILD_JOB_NAME}` *FAILED* :(
           ${ATC_EXTERNAL_URL}/teams/${BUILD_TEAM_NAME}/pipelines/${BUILD_PIPELINE_NAME}/jobs/${BUILD_JOB_NAME}/builds/${BUILD_NAME}
 
+  trivy_ignores: &trivy_ignores
+    IGNORE_VULNERABILITY_IDS: |
+      # Medium CVE in gopkg.in/square/go-jose.v2. That project is archived, so they will never fix this.
+      # That is an indirect dependency of our project, which we inherit from our direct dep of k8s.io/apiserver@v0.31.2.
+      # However, the Kubernetes maintainers say that k8s is not impacted and they won't upgrade to v3.
+      # See https://github.com/kubernetes/kubernetes/issues/128039. So we will ignore this for now.
+      CVE-2024-28180
+
 resource_types:
 
   # Try using the latest version of the registry-image resource because of this problem:
@@ -198,6 +206,7 @@ jobs:
         file: pinniped-ci/pipelines/shared-tasks/scan-image-trivy/task.yml
         params:
           GITHUB_TOKEN: ((ci-bot-access-token-with-read-user-permission))
+          <<: *trivy_ignores
         input_mapping:
           image: pinniped-latest-release-image
 
@@ -216,6 +225,7 @@ jobs:
         file: pinniped-ci/pipelines/shared-tasks/scan-image-trivy/task.yml
         params:
           GITHUB_TOKEN: ((ci-bot-access-token-with-read-user-permission))
+          <<: *trivy_ignores
         input_mapping:
           image: pinniped-latest-main-image