-
New Feature
-
Resolution: Unresolved
-
Minor
-
Powered by SuggestiMate
warnings-ng cannot capture result for "trivy conf -f json --output trivy-result.json /workspace" json. I've try both with old and new json format of trivy ("TRIVY_NEW_JSON_SCHEMA=true trivy conf -f json --output trivy-result.json /workspace"). Also note that, I'm able to use warnings-ng with "trivy client -f json --output ..." command.
[JENKINS-66425] Triff parser ignores warnings generated via `trivy conf`
Hello, I'm another person encountering this.
https://github.com/jenkinsci/warnings-ng-plugin/blob/v9.12.0/plugin/src/main/java/io/jenkins/plugins/analysis/warnings/Trivy.java states in a usage: "{@code trivy image -f json -o results.json golang:1.12-alpine}", but is named to imply it supports all range of Trivy scans (third, "trivy fs" I haven't tested).
So, answering question above, info on "trivy config"
Configuration in pipeline:
scan_output_file = 'trivyConfig.json' docker.image(plan.tests.trivyDockerImage) .inside("\ --volume=/var/run/docker.sock:/var/run/docker.sock \ --volume=$HOME/.cache:/tmp/.cache/ \ -e TRIVY_CACHE_DIR=/tmp/.cache/ \ --entrypoint='' \ --user 0 \ ") { try { sh "rm -f $scan_output_file; \ trivy --version && trivy config \ --exit-code 100 \ --timeout 5m0s \ --format json --output $scan_output_file \ $env.WORKSPACE" } catch (Throwable e) { log.warn "Trivy scan found issues (OR failed)! Check ${env.GIT_URL} for specific file contents." } finally { // ! cannot be parsed by warnings-ng plugin https://issues.jenkins.io/browse/JENKINS-66425?jql=resolution%20is%20EMPTY%20and%20component%3D24526 recordIssues( // https://www.jenkins.io/doc/pipeline/steps/warnings-ng enabledForFailure: false, failOnError: false, ignoreFailedBuilds: false, // ignoreFailedBuilds: true seems to cause report to be NOT shown, if the very first scan fails due to quality gate skipBlames: false, aggregatingResults: true, trendChartType: 'TOOLS_ONLY', healthy: 1, unhealthy: 50, qualityGates: [ [threshold: 10, type: 'TOTAL_HIGH', unstable: true], [threshold: 30, type: 'TOTAL_HIGH', unstable: false]], tools: [ trivy(id: "trivyScannerConfig", name: 'Configuration scan (by Trivy)', pattern: scan_output_file, skipSymbolicLinks: true)]) } }
Console log:
[Configuration scan (by Trivy)] Searching for all files in '/home/jenkins/workspace/job_develop_2' that match the pattern 'trivyConfig.json' [Configuration scan (by Trivy)] -> found 1 file [Configuration scan (by Trivy)] Successfully parsed file /home/jenkins/workspace/job_develop_2/trivyConfig.json [Configuration scan (by Trivy)] -> found 0 issues (skipped 0 duplicates) [Configuration scan (by Trivy)] Skipping post processing [Configuration scan (by Trivy)] No filter has been set, publishing all 0 issues [Configuration scan (by Trivy)] Repository miner is not configured, skipping repository mining [Configuration scan (by Trivy)] Reference build recorder is not configured [Configuration scan (by Trivy)] Obtaining reference build from same job (develop) [Configuration scan (by Trivy)] Using reference build 'job/develop #8' to compute new, fixed, and outstanding issues [Configuration scan (by Trivy)] Issues delta (vs. reference build): outstanding: 0, new: 0, fixed: 0 [Configuration scan (by Trivy)] Evaluating quality gates [Configuration scan (by Trivy)] -> PASSED - Total (severity high only): 0 - Quality QualityGate: 10 [Configuration scan (by Trivy)] -> PASSED - Total (severity high only): 0 - Quality QualityGate: 30 [Configuration scan (by Trivy)] -> All quality gates have been passed [Configuration scan (by Trivy)] Enabling health report (Healthy=1, Unhealthy=50, Minimum Severity=LOW) [Configuration scan (by Trivy)] Created analysis result for 0 issues (found 0 new issues, fixed 0 issues) [Configuration scan (by Trivy)] Attaching ResultAction with ID 'trivyScannerConfig' to build 'job/develop #9'.
trivyConfig.json (yes, I will exclude node_modules ):
{ "SchemaVersion": 2, "ArtifactName": "/home/jenkins/workspace/job_develop_2", "ArtifactType": "filesystem", "Metadata": { "ImageConfig": { "architecture": "", "created": "0001-01-01T00:00:00Z", "os": "", "rootfs": { "type": "", "diff_ids": null }, "config": {} } }, "Results": [ { "Target": "Dockerfile", "Class": "config", "Type": "dockerfile", "MisconfSummary": { "Successes": 22, "Failures": 1, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Dockerfile Security Check", "ID": "DS002", "Title": "root user", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Specify at least 1 USER command in Dockerfile with non-root user as argument", "Namespace": "appshield.dockerfile.DS002", "Query": "data.appshield.dockerfile.DS002.deny", "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/appshield/ds002", "References": [ "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://avd.aquasec.com/appshield/ds002" ], "Status": "FAIL", "Layer": {}, "IacMetadata": {} } ] }, { "Target": "node_modules/@surma/rollup-plugin-off-main-thread/Dockerfile", "Class": "config", "Type": "dockerfile", "MisconfSummary": { "Successes": 21, "Failures": 2, "Exceptions": 0 }, "Misconfigurations": [ { "Type": "Dockerfile Security Check", "ID": "DS001", "Title": "':latest' tag used", "Description": "When using a 'FROM' statement you should use a specific tag to avoid uncontrolled behavior when the image is updated.", "Message": "Specify a tag in the 'FROM' statement for image 'selenium/node-chrome'", "Namespace": "appshield.dockerfile.DS001", "Query": "data.appshield.dockerfile.DS001.deny", "Resolution": "Add a tag to the image in the 'FROM' statement", "Severity": "MEDIUM", "PrimaryURL": "https://avd.aquasec.com/appshield/ds001", "References": [ "https://avd.aquasec.com/appshield/ds001" ], "Status": "FAIL", "Layer": {}, "IacMetadata": {} }, { "Type": "Dockerfile Security Check", "ID": "DS002", "Title": "root user", "Description": "Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.", "Message": "Last USER command in Dockerfile should not be 'root'", "Namespace": "appshield.dockerfile.DS002", "Query": "data.appshield.dockerfile.DS002.deny", "Resolution": "Add 'USER \u003cnon root user name\u003e' line to the Dockerfile", "Severity": "HIGH", "PrimaryURL": "https://avd.aquasec.com/appshield/ds002", "References": [ "https://docs.docker.com/develop/develop-images/dockerfile_best-practices/", "https://avd.aquasec.com/appshield/ds002" ], "Status": "FAIL", "Layer": {}, "IacMetadata": {} } ] } ] }
Trivy version:
18:52:43 + trivy --version 18:52:43 Version: 0.27.1 18:52:43 Vulnerability DB: 18:52:43 Version: 2 18:52:43 UpdatedAt: 2022-05-02 12:07:55.396229478 +0000 UTC 18:52:43 NextUpdate: 2022-05-02 18:07:55.396228978 +0000 UTC 18:52:43 DownloadedAt: 2022-05-02 13:15:25.314290554 +0000 UTC
Seems that this format is different (or a subset). Interested in helping to improve or fix the parser? See https://github.com/jenkinsci/analysis-model/blob/master/src/main/java/edu/hm/hafner/analysis/parser/TrivyParser.java.
Hi shubzz, yes please go ahead! If you need any help please let me know. The parser should be straight forward. So you can simply look at the existing ones. If you want to chat, we can also use the warnings plugin Gitter channel.
What does the plug-in report in the console log of your job?