diff --git a/CHANGELOG.md b/CHANGELOG.md
index e08c696..82b31a0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [v2.5.0] - 2024-09-27
+### Added
+- [#49] Add feature to use a .trivyignore file to ignore cve that are false positives
+
## [v2.4.0] - 2024-09-18
### Changed
- Relicense to AGPL-3.0-only
diff --git a/pom.xml b/pom.xml
index 69a212c..c5859ce 100644
--- a/pom.xml
+++ b/pom.xml
@@ -7,7 +7,7 @@
com.cloudogu.ces
dogu-build-lib
dogu-build-lib
- 2.4.0
+ 2.5.0
UTF-8
diff --git a/src/com/cloudogu/ces/dogubuildlib/Trivy.groovy b/src/com/cloudogu/ces/dogubuildlib/Trivy.groovy
old mode 100644
new mode 100755
index caa4ec6..a845af7
--- a/src/com/cloudogu/ces/dogubuildlib/Trivy.groovy
+++ b/src/com/cloudogu/ces/dogubuildlib/Trivy.groovy
@@ -59,15 +59,21 @@ class Trivy {
"-v /vagrant/trivy/output:/output " +
"-v /vagrant/trivy/cache:/root/.cache/ " +
"-v /var/run/docker.sock:/var/run/docker.sock " +
+ "-v /dogu/.trivyignore:/trivy/.trivyignore " +
"aquasec/trivy image " +
formatFlags(format, fileName) + " " +
"--exit-code 1 " +
"--severity ${level} " +
- "${image} &> /dev/null; echo \\\$?"
+ "--debug " +
+ "--ignorefile /trivy/.trivyignore " +
+ "${image} &>> ./trivyscan.log; echo \\\$?"
+
def exitCode = this.vagrant().sshOut(command)
+
boolean ok = exitCode == "0"
this.vagrant().scp(":/vagrant/trivy/output", "trivy")
+ this.vagrant().scp(":./trivyscan.log", "trivy/output")
this.script.archiveArtifacts artifacts: 'trivy/output/trivyscan.*', allowEmptyArchive: true
if (!ok && strategy == TrivyScanStrategy.UNSTABLE) {
@@ -79,7 +85,6 @@ class Trivy {
return ok
}
-
/**
* Extracts the image and the version from the dogu.json in a doguPath to get the exact image name.
* @param doguPath The path of the dogu sources
diff --git a/test/com/cloudogu/ces/dogubuildlib/TrivyTest.groovy b/test/com/cloudogu/ces/dogubuildlib/TrivyTest.groovy
old mode 100644
new mode 100755
index 75aee1d..4955706
--- a/test/com/cloudogu/ces/dogubuildlib/TrivyTest.groovy
+++ b/test/com/cloudogu/ces/dogubuildlib/TrivyTest.groovy
@@ -169,7 +169,7 @@ class TrivyTest {
@Test
void scanUsesCorrectImage() {
trivy.scan("myimage", "plain", "critical,asdf,asdf123", "ignore")
- verify(vagrant, times(1)).sshOut(matches(/^.*myimage &> \/dev\/null; echo \\\$\?$/))
+ verify(vagrant, times(1)).sshOut(matches(/^.*myimage &>> .\/trivyscan.log; echo \\\$\?$/))
}
@Test
@@ -177,7 +177,7 @@ class TrivyTest {
doReturn("registry.cloudogu.com/official/nginx").when(vagrant).sshOut("jq .Image /dogu/dogu.json")
doReturn("1.0.0-1").when(vagrant).sshOut("jq .Version /dogu/dogu.json")
trivy.scanDogu("/dogu", "plain", "critical,asdf,asdf123", "ignore")
- verify(vagrant, times(1)).sshOut(matches(/^.*registry.cloudogu.com\/official\/nginx:1.0.0-1 &> \/dev\/null; echo \\\$\?$/))
+ verify(vagrant, times(1)).sshOut(matches(/^.*registry.cloudogu.com\/official\/nginx:1.0.0-1 &>> .\/trivyscan.log; echo \\\$\?$/))
}
@Test
@@ -194,12 +194,15 @@ class TrivyTest {
"-v /vagrant/trivy/output:/output " +
"-v /vagrant/trivy/cache:/root/.cache/ " +
"-v /var/run/docker.sock:/var/run/docker.sock " +
+ "-v /dogu/.trivyignore:/trivy/.trivyignore " +
"aquasec/trivy image " +
"-f json " +
"--output /output/myfilename " +
"--exit-code 1 " +
"--severity critical " +
- "null:null &> /dev/null; echo \\\$?")
+ "--debug " +
+ "--ignorefile /trivy/.trivyignore " +
+ "null:null &>> ./trivyscan.log; echo \\\$?")
trivy.scanDogu("/dogu", "json", "critical", "fail", "myfilename")
}
}