ci: mark CVE-2024-3154 as a false scan positive (#7215)

Signed-off-by: Justin Chadwell <[email protected]>

.trivyignore.yaml

@@ -0,0 +1,5 @@
+vulnerabilities:
+ # https://github.com/advisories/GHSA-c5pj-mqfh-rvc3
+ # This issue is not fixed in a version of runc we can feasibly upgrade to. We
+ # simply do not use CRI-O for starting runc, so this is a false positive.
+ - id: CVE-2024-3154

ci/engine.go

@@ -225,19 +225,37 @@ func (e *Engine) Scan(ctx context.Context) (string, error) {
  return "", err
  }
 
- return dag.Container().
- From("aquasec/trivy:0.50.1").
+ ignoreFiles := dag.Directory().WithDirectory("/", e.Dagger.Source, DirectoryWithDirectoryOpts{
+ Include: []string{
+ ".trivyignore",
+ ".trivyignore.yml",
+ ".trivyignore.yaml",
+ },
+ })
+ ignoreFileNames, err := ignoreFiles.Entries(ctx)
+ if err != nil {
+ return "", err
+ }
+
+ ctr := dag.Container().
+ From("aquasec/trivy:0.50.4").
  WithMountedFile("/mnt/engine.tar", target.AsTarball()).
- WithMountedCache("/root/.cache/", dag.CacheVolume("trivy-cache")).
- WithExec([]string{
- "image",
- "--format=json",
- "--no-progress",
- "--exit-code=1",
- "--vuln-type=os,library",
- "--severity=CRITICAL,HIGH",
- "--input",
- "/mnt/engine.tar",
- }).
- Stdout(ctx)
+ WithMountedDirectory("/mnt/ignores", ignoreFiles).
+ WithMountedCache("/root/.cache/", dag.CacheVolume("trivy-cache"))
+
+ args := []string{
+ "image",
+ "--format=json",
+ "--no-progress",
+ "--exit-code=1",
+ "--vuln-type=os,library",
+ "--severity=CRITICAL,HIGH",
+ "--show-suppressed",
+ }
+ if len(ignoreFileNames) > 0 {
+ args = append(args, "--ignorefile=/mnt/ignores/"+ignoreFileNames[0])
+ }
+ args = append(args, "--input", "/mnt/engine.tar")
+
+ return ctr.WithExec(args).Stdout(ctx)
 }