search

mxab / pre-commit-trivy

MIT License
16 stars 8 forks source link

pre-commit hook returns failed after adding the findings to .trivyignore #17

Open MichaelMorozovCodit opened 3 months ago

MichaelMorozovCodit commented 3 months ago

Finding returns the following:

trivyfs-docker...........................................................Failed
- hook id: trivyfs-docker
- exit code: 1
- files were modified by this hook

2024-03-25T12:27:20.991Z        INFO    Vulnerability scanning is enabled
2024-03-25T12:27:20.991Z        INFO    Secret scanning is enabled
2024-03-25T12:27:20.991Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-25T12:27:20.991Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-25T12:27:21.617Z        INFO    Number of language-specific files: 1
2024-03-25T12:27:21.617Z        INFO    Detecting nuget vulnerabilities...

src/Codito.Esb.B2b.Order.Import/integrationtests/packages.config (nuget)

Total: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 1, CRITICAL: 0)

┌──────────────────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────┐
│           Library            │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                          Title                           │
├──────────────────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ Microsoft.Rest.ClientRuntime │ CVE-2022-26907 │ MEDIUM   │ fixed  │ 2.3.19            │ 2.3.24        │ Azure SDK for .NET Information Disclosure Vulnerability. │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2022-26907               │
├──────────────────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────┤
│ Newtonsoft.Json              │ CVE-2024-21907 │ HIGH     │        │ 10.0.3            │ 13.0.1        │ Improper Handling of Exceptional Conditions in           │
│                              │                │          │        │                   │               │ Newtonsoft.Json                                          │
│                              │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2024-21907               │
└──────────────────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────┘

To ignore these findings I add these to the .trivyignore:

CVE-2024-21907
CVE-2022-26907

Executing git add -A and then git commit -m "message" returns a failed test but no findings:

trivyfs-docker...........................................................Failed
- hook id: trivyfs-docker
- files were modified by this hook

2024-03-25T12:29:51.737Z        INFO    Vulnerability scanning is enabled
2024-03-25T12:29:51.737Z        INFO    Secret scanning is enabled
2024-03-25T12:29:51.737Z        INFO    If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-03-25T12:29:51.737Z        INFO    Please see also https://aquasecurity.github.io/trivy/v0.49/docs/scanner/secret/#recommendation for faster secret detection
2024-03-25T12:29:52.417Z        INFO    Number of language-specific files: 1
2024-03-25T12:29:52.417Z        INFO    Detecting nuget vulnerabilities...

Adding the detected vulnerabilities should return a Passed test.

pre-commit-config looks like this for pre-commit-trivy

-   repo: https://github.com/mxab/pre-commit-trivy
    rev: v0.11.0
    hooks:
    -   id: trivyfs-docker
        args:
        -   --skip-dirs
        -   ./tests
        -   ./

Running on Windows 11.

mxab commented 3 months ago

In the second run does it just fail or does it also print out the vulnerabilities and you just omitted them?

Does it work if you run directly run trivy fs --skip-dirs ./tests . ?

MichaelMorozovCodit commented 3 months ago

It just fails, no report. The output above is the exact output I receive in the terminal of my IDE, so no, no report. Before I tried this hook, I was running trivy as a custom script I inserted in the pre-commit file of the .git folder, and I worked as expected.

mxab commented 3 months ago

ok, there is also the other message: - files were modified by this hook . Is the pre-commit hook maybe "failing" because of a modified file? not sure which one this could be but the error message would hint to something like that

MichaelMorozovCodit commented 2 months ago

Well that's the thing, idk if your hook automatically edits files? If yes, the issue must lie there. If not, I wouldn't know where this message would come from. As I said, running a custom trivy script in the pre-commit file gives no problems. This script looks like this:

if ! command -v trivy >/dev/null 2>&1; then
    echo "trivy not installed, run trivy_install.ps1 or install trivy manually and add to path."
else
    echo "Running trivy scan..."
    trivy repo ./
fi
mxab commented 2 months ago

the only file that would "change" is the `.pre-commit-trivy-cache´ do you see this modified after the failed run? I would assume that this is in the gitignore part and should therefore be ignored?