add trivy validator for ap-vendor

bin/trivy-scan.sh

@@ -12,7 +12,6 @@ trivy_args=(
   "--cache-dir" "/tmp/workspace/trivy-cache"
   "image"
   "--ignore-unfixed" "-s" "HIGH,CRITICAL"
-  "--exit-code" "1"
   "--no-progress"
 )
 
@@ -26,8 +25,9 @@ if [ -f "${config_file}" ]; then
   trivy_args+=(--config "${config_file}")
 fi
 
+trivy "${trivy_args[@]}" "ap-${scan_target}:${CIRCLE_SHA1}" --output "${scan_target}/scan-results.json" --format json
 trivy "${trivy_args[@]}" "ap-${scan_target}:${CIRCLE_SHA1}" > "${GIT_ROOT}/trivy-output.txt"
-exit_code=$?
+#exit_code=$?
 
 cat "${GIT_ROOT}/trivy-output.txt"
 
@@ -38,4 +38,6 @@ if grep -q -i 'OS is not detected' trivy-output.txt ; then
   exit 0
 fi
 
-exit "${exit_code}"
+#exit "${exit_code}"
+export PROJECT_DIRECTORY="${scan_target}"
+python bin/trivy_validator.py

bin/trivy_validator.py

@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+import json
+import os
+from pathlib import Path
+
+git_root = [x for x in Path(__file__).resolve().parents if (x / ".git").is_dir()][-1]
+project_name = os.getenv("PROJECT_DIRECTORY")
+scan_results_file_path = f"{git_root}/{project_name}"
+
+data = json.loads(Path(f"{scan_results_file_path}/scan-results.json").read_text())
+found_cves = [vuln["VulnerabilityID"] for result in data.get("Results", []) for vuln in result.get("Vulnerabilities", [])]
+
+
+def cve_list_to_string(items: list):
+    sorted_items = sorted(set(items), key=lambda x: x.lower() if x else "")
+    if sorted_items:
+        return "\n\n" + "\n".join([f"{item}" for item in sorted_items]) + "\n"
+    return "none\n"
+
+
+def get_ignored_cves() -> list:
+    ignore_file = Path(f"{scan_results_file_path}/trivyignore")
+    if ignore_file.is_file():
+        return sorted({line.strip() for line in ignore_file.read_text().splitlines()})
+    return []
+
+
+ignored_cve_list = get_ignored_cves()
+
+new_cves = [cve for cve in found_cves if cve not in ignored_cve_list]
+print(f"New CVEs that are not found in {project_name}/trivyignore: {cve_list_to_string(new_cves)}")
+
+old_cves = [cve for cve in found_cves if cve in ignored_cve_list and cve in found_cves]
+print(f"Old CVEs that exist now but are already in {project_name}/trivyignore: {cve_list_to_string(old_cves)}")
+
+solved_cves = [cve for cve in ignored_cve_list if cve not in found_cves]
+print(f"Solved CVEs that can be removed from {project_name}/trivyignore: {cve_list_to_string(solved_cves)}")
+
+if new_cves:
+    raise SystemExit(1)

openresty/Dockerfile

@@ -16,7 +16,7 @@
 
 # https://github.com/openresty/docker-openresty/
 # https://hub.docker.com/r/openresty/openresty/tags
-FROM docker.io/openresty/openresty:1.27.1.1-3-alpine
+FROM docker.io/openresty/openresty:1.27.1.2-0-alpine
 LABEL maintainer="Astronomer <[email protected]>"
 
 ARG BUILD_NUMBER=-1

openresty/version.txt

@@ -1 +1 @@
-1.27.1-4
+1.27.1-5