search

bridgecrewio / checkov-action

This GitHub Action runs Checkov against infrastructure-as-code, open source packages, container images, and CI/CD configurations to identify misconfigurations, vulnerabilities, and license compliance issues.
Apache License 2.0
238 stars 100 forks source link

Using skip_cve_package parameter with CVE-2023-46298 returns a failure #161

Open anastasialanz opened 7 months ago

anastasialanz commented 7 months ago

When testing out the functionality of the skip_cve_package parameter, I set it to CVE-2023-46298 to ignore this issue in the next.js package. After running the Checkov GitHub action, the PR still fails. Is there something else I would need to do to not have it fail if this package can't be updated immediately?

Example checkov.yml GitHub Action

- name: Run Prisma Cloud
        id: prisma-cloud
        uses: bridgecrewio/checkov-action@v12
        with:
          api-key: ***
          output_format: cli
          framework: github_actions,sca_package
          skip_cve_package: CVE-2023-46298

CLI output:

_               _              
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V / 
  \___|_| |_|\___|\___|_|\_\___/ \_/  

By Prisma Cloud | version: 3.2.2 
Update available 3.2.2 -> 3.2.3
Run pip3 install -U checkov to update 

sca_package scan results:

Failed checks: 1, Skipped checks: 371

    /package.json - CVEs Summary:
    ┌──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┐
    │ Total CVEs: 1        │ critical: 0          │ high: 0              │ medium: 0            │ low: 1               │ skipped: 0           │ Total Packages Used: │
    │                      │                      │                      │                      │                      │                      │ 0                    │
    ├──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┤
    │ To fix 0/1 CVEs, go to https://www.bridgecrew.cloud/                                                                                                           │
    ├──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┬──────────────────────┤
    │ Package [Lines]      │ CVE ID               │ Severity             │ Current version      │ Root fixed version   │ Compliant version    │ Reachability         │
    ├──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┼──────────────────────┤
    │ next [71-71]         │ CVE-2023-46298       │ LOW                  │ 12.3.4               │ N/A                  │ N/A                  │                      │
    └──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┴──────────────────────┘
Saarett commented 7 months ago

Hi @anastasialanz , as a paying customer of Prisma Cloud, you may reach out to your Customer Success representative so they can assist you 🙂

tsmithv11 commented 6 months ago

@anastasialanz thanks for reaching out! The flag you're using is for "package" level skipping, e.g., skip_cve_package: next. To skip the CVE, you need to use: skip_check: CKV_CVE_2023_46298 as documented here: https://www.checkov.io/2.Basics/Suppressing%20and%20Skipping%20Policies.html

I hope that helps!