adjust trivy scan policy for available fixes (#143)

* adjust trivy scan policy for available fixes

Change the image scan with trivy that can block a pipeline to only consider fixes that are available. Resolves issues with UBI images failing on CVE-2019-1010022

Signed-off-by: Tim Robinson <[email protected]>

* set task flag for ignoreUnfixed

Signed-off-by: Tim Robinson <[email protected]>

tasks/3-img-scan-trivy.yaml

@@ -16,6 +16,9 @@ spec:
     - name: scan-image
       description: Flag indicating that a scan should be performed
       default: "false"
+    - name: trivy-ignoreUnfixed
+      description: Flag indicating that Trivy scans should ignore unfixed vulnerabilities 
+      default: "true"
     - name: SKOPEO_IMAGE
       default: quay.io/containers/skopeo:v1.1.0
     - name: IMAGE_FROM_TLS_VERIFY
@@ -83,7 +86,7 @@ spec:
           PATH_TO_IMAGE="/var/oci/image"
           echo -e "Trivy Security Scan image in registry"
           trivy image --exit-code 0 --input ${PATH_TO_IMAGE}
-          trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE}
+          TRIVY_IGNORE_UNFIXED="$(params.trivy-ignoreUnfixed)" trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE}
           my_exit_code=$?
           echo "Scan exit code :--- $my_exit_code"
           if [ ${my_exit_code} == 1 ]; then

tasks/9-img-scan.yaml

@@ -16,6 +16,9 @@ spec:
     - name: scan-trivy
       description: Flag indicating that a scan should be performed with Trivy
       default: "false"
+    - name: trivy-ignoreUnfixed
+      description: Flag indicating that Trivy scans should ignore unfixed vulnerabilities 
+      default: "true"
     - name: scan-ibm
       description: Flag indicating that a scan should be performed with IBM VA
       default: "false"
@@ -89,7 +92,7 @@ spec:
           PATH_TO_IMAGE="/var/oci/image"
           echo -e "Trivy Security Scan image in registry"
           trivy image --exit-code 0 --input ${PATH_TO_IMAGE}
-          trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE}
+          TRIVY_IGNORE_UNFIXED="$(params.trivy-ignoreUnfixed)" trivy image --exit-code 1 --severity CRITICAL --input ${PATH_TO_IMAGE}
           my_exit_code=$?
           echo "Scan exit code :--- $my_exit_code"
           if [ ${my_exit_code} == 1 ]; then
@@ -178,4 +181,4 @@ spec:
           else
             echo "VA Warning: non-OK status from Vulnerability Advisor ${VA_STATUS}"
             cat va-result.json | jq -r '.[]'
-          fi
+          fi