Filter vulnerabilities by Type (yarn, composer etc.)

[bmiro]

Hi,

I was trying to filter the vulnerabilities by Type (as in the json format) i.e. to not report vulnerabilities found in Gemfiles or yarn if the project is a PHP (with composer).

I'm not sure if it can be done, for now I've tried the following:

• The option --vuln-type but it only refers to os or library not composer, yarn. This option does not refer to the same Type as the json output. So is not useful for me. Maybe would be nice to have the something --ignore-vuln-target-type xxxx,yyyy or --vuln-target-type xxxx,yyyy ?

• Also seen the option --skip-files or --skip-dir but we use trivy for generic scans on repos and we do not know the full path to files to skip. It would work with wildcards like --skip-files '*/yarn.lock' --skip-files '*/Gemfile' but they not seem to be supported.

• Finally there is the option to use --ignore-policy with a Rego file. But the input in rego does not seem have the Type nor the Target of the vulnerability as type is on the parent in the json:

    {   
      "Target": "web/core/yarn.lock",  <=====  Not seem to be available in the rego file                                                                                                                               
      "Class": "lang-pkgs",
      "Type": "yarn", <================= Not seem to be available in the rego file
      "Vulnerabilities": [
        {
          "VulnerabilityID": "CVE-2021-3749",
          "PkgName": "axios",
          "InstalledVersion": "0.21.1",
          "FixedVersion": "0.21.2",
          "Layer": {},
          "SeveritySource": "ghsa-npm",
          "PrimaryURL": "https://avd.aquasec.com/nvd/cve-2021-3749",
          "Title": "nodejs-axios: Regular expression denial of service in trim function",
          "Description": "axios is vulnerable to Inefficient Regular Expression Complexity",
          "Severity": "HIGH",
          "CweIDs": [
            "CWE-697"
          ],
          "CVSS": {

I've tried this regofile without success:

package trivy

import data.lib.trivy

default ignore = false

ignore {
    input.Type == "yarn"
}

I'm missing something? There is any way to filter by Target (with wildcards) or Type?

If not I think I can try to do a PR with the changes but I'm not sure with is the best option of the following:

• Add support for wildcards in the target
• Add a CLI option to filter Types (with the type meaning of the json)
• Make available the fields Target/Type to the input at the rego file

I would like to give a hand if you thing this is appropriate : )

Many thanks for the effort developing the software and attending those questions : )

[Poweranimal]

Thanks @bmiro for opening the issue.
I'm having the same use case and would love to ignore vulnerabilities in OPA rego files by Target/Type.

[dinvlad]

It would be nice to be able to ignore by os/library in .rego as well.

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.

[dinvlad]

/remove-lifecycle stale

[github-actions[bot]]

This issue is stale because it has been labeled with inactivity.