Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to fail the build when an ignored CVE is no longer found #53

Open
yob opened this issue May 13, 2024 · 1 comment
Open

Option to fail the build when an ignored CVE is no longer found #53

yob opened this issue May 13, 2024 · 1 comment
Assignees
@jamestelfer

Comments

@yob
Copy link

yob commented May 13, 2024

We're using the new-ish support for ignoring CVEs that we're triaged as not relevant. It's great!

The lists of ignored CVEs are growing though, and we've noticed a few of them are no longer found in the images. Mostly due to fixes being released by the relevant linux distribution.

We'd love an option to fail the build if an ignored CVE is no longer found, to encourage us to tidy up the list incrementally. Would you be open to a PR that implements it?
@jamestelfer jamestelfer self-assigned this Jun 18, 2024
@jamestelfer
Copy link
Member

Great question!

One note with this idea is that the ignore functionality supports a central ignore list found on the agent: in order to fail or otherwise notify on an out-of-date or unmatched vulnerability, we'd need to track the source of the ignore definition as well.

There are two parts to this change IMO:

  • alter the annotation/output to show the set of ignore entries that were not matched in the check
  • optionally fail the build if these are present (fail-on-unmatched-ignores?)

WDYT?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jamestelfer jamestelfer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yob @jamestelfer