From 7deb3e1b373c4b24a0258511c274acd718d8da79 Mon Sep 17 00:00:00 2001
From: Benedikt Bauer <benedikt.bauer@ambient-innovation.com>
Date: Mon, 4 Nov 2024 11:58:26 +0100
Subject: [PATCH] bugfix: .trivyignore.yaml must exist as of trivy 0.57.0 (#11)

* bugfix: .trivyignore.yaml must exist as of trivy 0.57.0

* bugfix: make trivyignore a variable and update vuln-type switch

* update docs

* trivyignore file may not be empty
---
 README.md                     |  2 +-
 security-checks.template.yaml | 11 +++++++----
 security-checks.yaml          | 11 +++++++----
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 69dafaf..a4eab9b 100644
--- a/README.md
+++ b/README.md
@@ -154,5 +154,5 @@ To make sure you're doing a fresh run and instruct trivy to download a fresh vul
 You can add more variables corresponding to the CLI switches as [documented on the trivy homepage](https://aquasecurity.github.io/trivy/v0.48/docs/references/configuration/cli/trivy/)  
 NOTE: This link points to the reference as of v0.48 - December 2023, make sure to check the latest version for changes in newer versions.
 
-Last, but not least, you can set up a .trivyignore file in your project's root directory and enter one Vulnerability-ID per line to ignore that specific vulnerability. See the [trivy documentation](https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#by-finding-ids) for more (and up-to-date) info.  
+Last, but not least, you can set up a .trivyignore.yaml file in your project's root directory and enter one Vulnerability-ID per line to ignore that specific vulnerability. See the [trivy documentation](https://aquasecurity.github.io/trivy/v0.48/docs/configuration/filtering/#by-finding-ids) for more (and up-to-date) info.  
 NOTE: This link points to the reference as of v0.48 - December 2023, make sure to check the latest version for changes in newer versions.
diff --git a/security-checks.template.yaml b/security-checks.template.yaml
index df95e09..8720404 100644
--- a/security-checks.template.yaml
+++ b/security-checks.template.yaml
@@ -17,19 +17,22 @@
     DIRECTORY: "./"
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
+    TRIVY_IGNOREFILE_DIR: "./.trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
+    # Create trivyignore.yaml if it doesn't exist yet
+    - if [ ! -e ${TRIVY_IGNOREFILE_DIR} ]; then echo "ambient_trivyignore_placeholder: None" > ${TRIVY_IGNOREFILE_DIR}; fi
   allow_failure: true
   script:
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
+    - trivy image --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
+    - trivy filesystem --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
     # Report results as table
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format table $IMAGE || IMAGE_CODE=$?
+    - trivy image --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format table $IMAGE || IMAGE_CODE=$?
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
+    - trivy filesystem --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
     # Combine report
     - apk update && apk add jq sed
     - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > ${FILENAME}
diff --git a/security-checks.yaml b/security-checks.yaml
index e549e24..0238e89 100644
--- a/security-checks.yaml
+++ b/security-checks.yaml
@@ -20,19 +20,22 @@ container_scanning:
     DIRECTORY: "./"
     # Is like that for backward-compatibility, previously we only had DIRECTORY.
     FILENAME: "gl-codeclimate-$CI_JOB_NAME_SLUG.json"
+    TRIVY_IGNOREFILE_DIR: "./.trivyignore.yaml"
   before_script:
     - if [ ! -e ${TRIVY_CACHE_DIR} ]; then mkdir -p ${TRIVY_CACHE_DIR}; fi
+    # Create trivyignore.yaml if it doesn't exist yet
+    - if [ ! -e ${TRIVY_IGNOREFILE_DIR} ]; then echo "ambient_trivyignore_placeholder: None" > ${TRIVY_IGNOREFILE_DIR}; fi
   allow_failure: true
   script:
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
+    - trivy image --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-image.json $IMAGE >trivy-image.log 2>&1 || true
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 0 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
+    - trivy filesystem --exit-code 0 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --format template --template "@/contrib/gitlab-codequality.tpl" -o gl-codeclimate-fs.json $DIRECTORY >trivy-fs.log 2>&1 || true
     # Report results as table
     # Image report (Operating System Vulnerabilities)
-    - trivy image --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners vuln --vuln-type os --format table $IMAGE || IMAGE_CODE=$?
+    - trivy image --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners vuln --pkg-types os --format table $IMAGE || IMAGE_CODE=$?
     # Filesystem report (Source Dependency Vulnerabilities)
-    - trivy filesystem --exit-code 1 --ignorefile ./.trivyignore.yaml --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
+    - trivy filesystem --exit-code 1 --ignorefile ${TRIVY_IGNOREFILE_DIR} --ignore-unfixed --scanners misconfig,vuln --dependency-tree --format table $DIRECTORY || FILE_CODE=$?
     # Combine report
     - apk update && apk add jq sed
     - jq -s 'add' gl-codeclimate-image.json gl-codeclimate-fs.json > ${FILENAME}