config-check: "Module has no input selectors - it will be loaded for all inputs" (all exceptions ignored)

[bovy89]

Description

I would like to ignore ksv114 rule (https://avd.aquasec.com/misconfig/ksv114), but the described config is not working anymore

Desired Behavior

exceptions not ignored

Actual Behavior

exceptions ignored

Reproduction Steps

1. `wget https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.yaml`
2. 

mkdir -p trivy_policy && cat > trivy_policy/ksv114_exception.rego <<EOF
package builtin.kubernetes.KSV114

exception[rules] {
	input.kind == "ClusterRole"
	input.metadata.name == "cert-manager-cainjector"
	rules := [""]
}
EOF

3. trivy config --config-check ./trivy_policy cert-manager.yaml

### Target

Git Repository

### Scanner

Misconfiguration

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
2024-11-15T14:02:12+01:00	DEBUG	No plugins loaded
2024-11-15T14:02:12+01:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2024-11-15T14:02:12+01:00	DEBUG	Cache dir	dir="/Users/xxxx/Library/Caches/trivy"
2024-11-15T14:02:12+01:00	DEBUG	Cache dir	dir="/Users/xxxx/Library/Caches/trivy"
2024-11-15T14:02:12+01:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-11-15T14:02:12+01:00	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-15T14:02:12+01:00	DEBUG	[misconfig] Checks successfully loaded from disk
2024-11-15T14:02:12+01:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-11-15T14:02:12+01:00	DEBUG	Initializing scan cache...	type="memory"
2024-11-15T14:02:12+01:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Helm"
2024-11-15T14:02:13+01:00	DEBUG	[rego] Overriding filesystem for checks
2024-11-15T14:02:13+01:00	DEBUG	[rego] Embedded libraries are loaded	count=15
2024-11-15T14:02:13+01:00	DEBUG	[rego] Embedded checks are loaded	count=509
2024-11-15T14:02:13+01:00	DEBUG	[rego] Checks from disk are loaded	count=525
2024-11-15T14:02:13+01:00	DEBUG	[rego] Overriding filesystem for data
2024-11-15T14:02:13+01:00	WARN	[rego] Module has no input selectors - it will be loaded for all inputs!	file_path="xxxxx/trivy_policy/ksv114_exception.rego" module="xxxxx/trivy_policy/ksv114_exception.rego"
2024-11-15T14:02:13+01:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Kubernetes"
2024-11-15T14:02:13+01:00	DEBUG	[rego] Overriding filesystem for checks
2024-11-15T14:02:13+01:00	DEBUG	[rego] Embedded libraries are loaded	count=15
2024-11-15T14:02:13+01:00	DEBUG	[rego] Embedded checks are loaded	count=509
2024-11-15T14:02:14+01:00	DEBUG	[rego] Checks from disk are loaded	count=525
2024-11-15T14:02:14+01:00	DEBUG	[rego] Overriding filesystem for data
2024-11-15T14:02:14+01:00	WARN	[rego] Module has no input selectors - it will be loaded for all inputs!	file_path="xxxxx/trivy_policy/ksv114_exception.rego" module="xxxxx/trivy_policy/ksv114_exception.rego"
2024-11-15T14:02:14+01:00	DEBUG	[kubernetes scanner] Scanning files...	count=49
2024-11-15T14:02:14+01:00	DEBUG	[rego] Scanning inputs	count=49
2024-11-15T14:02:18+01:00	DEBUG	OS is not detected.
2024-11-15T14:02:18+01:00	INFO	Detected config files	num=1
2024-11-15T14:02:18+01:00	DEBUG	Scanned config file	file_path="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Found an ignore file	file_path=".trivyignore"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV048" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV056" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV056" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV014" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV030" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV037" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV041" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV044" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV045" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV046" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV048" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV049" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV050" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV056" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV106" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	Ignored	id="KSV110" target="cert-manager.yaml"
2024-11-15T14:02:18+01:00	DEBUG	[vex] VEX filtering is disabled




AVD-KSV-0114 (CRITICAL): ClusterRole 'cert-manager-cainjector' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Webhooks can silently intercept or actively mutate/block resources as they are being created or updated. This includes secrets and pod specs.

See https://avd.aquasec.com/misconfig/ksv114
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 cert-manager.yaml:12106-12108
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
12106 ┌   - apiGroups: ["admissionregistration.k8s.io"]
12107 │     resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
12108 └     verbs: ["get", "list", "watch", "update", "patch"]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Operating System

macOS Sonoma

Version

Version: 0.57.0
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-10-29 06:17:43.289538659 +0000 UTC
  NextUpdate: 2024-10-30 06:17:43.289538499 +0000 UTC
  DownloadedAt: 2024-10-29 11:17:48.449548 +0000 UTC
Check Bundle:
  Digest: sha256:9cc30e6eb1c0dc0b4a4791b61c3dbff8799d08daeac893c08317e7b054ecab14
  DownloadedAt: 2024-11-15 11:16:52.270695 +0000 UTC

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

Are you trying to ignore a check? You can do via https://aquasecurity.github.io/trivy/v0.57/docs/scanner/misconfiguration/#skipping-resources-by-inline-comments

FYI Rego EXCEPTIONS have been deprecated as of v0.57.0. This change was announced here #7474

[bovy89]

I completely missed that deprecation. In my case, source code is from 3td party and I don't want to manual edit it at every upgrade because this is an unmaintainable approach.
Is there an alternative (but maintainable) way to do it as we use to do with rego exception (fine-grained exception handling like with inline comments) or the only ways are to globally disable it using .trivyignore or completly disable misconfig check for 3td party software?

[nikpivkin]

Hi @bovy89 !

You can ignore a check by content. For example, you know that the AVD-KSV-0114 check should not be triggered for the validatingwebhookconfigurations resource, then you can write the following ignore rule:

package trivy

import rego.v1

default ignore := false

ignore if {
    input.AVDID == "AVD-KSV-0114"
    some line in input.CauseMetadata.Code.Lines
    contains(line.Content, "validatingwebhookconfigurations")
}

❯ trivy conf cert-manager.yaml |grep AVD-KSV-0114
2024-11-20T17:06:26+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-20T17:06:30+06:00       INFO    Detected config files   num=1
AVD-KSV-0114 (CRITICAL): ClusterRole 'cert-manager-cainjector' should not have access to resources ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] for verbs ["create", "update", "patch", "delete", "deletecollection", "impersonate", "*"]
❯ trivy conf cert-manager.yaml --ignore-policy ignore-ksv114.rego |grep AVD-KSV-0114
2024-11-20T17:07:43+06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-20T17:07:47+06:00       INFO    Detected config files   num=1

You can read about ignoring checks with Rego in the documentation: https://trivy.dev/v0.57/docs/configuration/filtering/#by-rego