Merge branch 'release/v2.5.0'

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v2.5.0] - 2024-09-27
+### Added
+- [#49] Add feature to use a .trivyignore file to ignore cve that are false positives 
+
 ## [v2.4.0] - 2024-09-18
 ### Changed
 - Relicense to AGPL-3.0-only

pom.xml

@@ -7,7 +7,7 @@
     <groupId>com.cloudogu.ces</groupId>
     <artifactId>dogu-build-lib</artifactId>
     <name>dogu-build-lib</name>
-    <version>2.4.0</version>
+    <version>2.5.0</version>
 
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>

src/com/cloudogu/ces/dogubuildlib/Trivy.groovy

@@ -59,15 +59,21 @@ class Trivy {
                 "-v /vagrant/trivy/output:/output " +
                 "-v /vagrant/trivy/cache:/root/.cache/ " +
                 "-v /var/run/docker.sock:/var/run/docker.sock " +
+                "-v /dogu/.trivyignore:/trivy/.trivyignore " +
                 "aquasec/trivy image " +
                 formatFlags(format, fileName) + " " +
                 "--exit-code 1 " +
                 "--severity ${level} " +
-                "${image} &> /dev/null; echo \\\$?"
+                "--debug " +
+                "--ignorefile /trivy/.trivyignore " +
+                "${image} &>> ./trivyscan.log; echo \\\$?"
+
         def exitCode = this.vagrant().sshOut(command)
+
         boolean ok = exitCode == "0"
 
         this.vagrant().scp(":/vagrant/trivy/output", "trivy")
+        this.vagrant().scp(":./trivyscan.log", "trivy/output")
         this.script.archiveArtifacts artifacts: 'trivy/output/trivyscan.*', allowEmptyArchive: true
 
         if (!ok && strategy == TrivyScanStrategy.UNSTABLE) {
@@ -79,7 +85,6 @@ class Trivy {
         return ok
     }
 
-
     /**
      * Extracts the image and the version from the dogu.json in a doguPath to get the exact image name.
      * @param doguPath The path of the dogu sources

test/com/cloudogu/ces/dogubuildlib/TrivyTest.groovy

@@ -169,15 +169,15 @@ class TrivyTest {
     @Test
     void scanUsesCorrectImage() {
         trivy.scan("myimage", "plain", "critical,asdf,asdf123", "ignore")
-        verify(vagrant, times(1)).sshOut(matches(/^.*myimage &> \/dev\/null; echo \\\$\?$/))
+        verify(vagrant, times(1)).sshOut(matches(/^.*myimage &>> .\/trivyscan.log; echo \\\$\?$/))
     }
 
     @Test
     void scanDoguExtractsCorrectDoguImageName() {
         doReturn("registry.cloudogu.com/official/nginx").when(vagrant).sshOut("jq .Image /dogu/dogu.json")
         doReturn("1.0.0-1").when(vagrant).sshOut("jq .Version /dogu/dogu.json")
         trivy.scanDogu("/dogu", "plain", "critical,asdf,asdf123", "ignore")
-        verify(vagrant, times(1)).sshOut(matches(/^.*registry.cloudogu.com\/official\/nginx:1.0.0-1 &> \/dev\/null; echo \\\$\?$/))
+        verify(vagrant, times(1)).sshOut(matches(/^.*registry.cloudogu.com\/official\/nginx:1.0.0-1 &>> .\/trivyscan.log; echo \\\$\?$/))
     }
 
     @Test
@@ -194,12 +194,15 @@ class TrivyTest {
                         "-v /vagrant/trivy/output:/output " +
                         "-v /vagrant/trivy/cache:/root/.cache/ " +
                         "-v /var/run/docker.sock:/var/run/docker.sock " +
+                        "-v /dogu/.trivyignore:/trivy/.trivyignore " +
                         "aquasec/trivy image " +
                         "-f json " +
                         "--output /output/myfilename " +
                         "--exit-code 1 " +
                         "--severity critical " +
-                        "null:null &> /dev/null; echo \\\$?")
+                        "--debug " +
+                        "--ignorefile /trivy/.trivyignore " +
+                        "null:null &>> ./trivyscan.log; echo \\\$?")
         trivy.scanDogu("/dogu", "json", "critical", "fail", "myfilename")
     }
 }