New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Added exceptions flag in scan image cmd #1568
base: master
Are you sure you want to change the base?
Feature: Added exceptions flag in scan image cmd #1568
Conversation
81c0b2a
to
bf8ddbe
Compare
Looks good @VaibhavMalik4187 do you think we can add a test covering this new feature? |
Thanks for the approval @matthyx. Yes, I'll add a test soon. |
87a704c
to
590b535
Compare
@matthyx I've added a few tests. |
590b535
to
a79a704
Compare
waiting for @dwertent to confirm this is what we want |
a79a704
to
3045482
Compare
Hi @VaibhavMalik4187 Thank you for contributing this PR.
This will allow us to properly support CICDs as well as scan images from the CLI. Thoughts? |
Hi @dwertent, thanks for the feedback. I agree that having a consistent exception format for both configuration scanning and vulnerability scanning would be beneficial for CI/CD integration and CLI usage. I'm open to aligning my PR with the proposed object structure. |
@VaibhavMalik4187 Great, let's do it 🥇 The attributes should support:
e.g.
We should support regex as well. Also, we should exclude based on severities as well.
What do you think? |
I'm not very sure about the regex part. Where do you intend to use regex? Could you please elaborate a bit more? In the exceptions object fields? |
3045482
to
ff27b64
Compare
881b380
to
91a97c2
Compare
91a97c2
to
96534d6
Compare
96534d6
to
6724ec0
Compare
6724ec0
to
ca689af
Compare
@VaibhavMalik4187 We are currently very busy with some features. |
@dwertent,Thanks for the update. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Appreciate your contribution! Currently, our team is immersed in prioritizing other features, causing a delay in reviewing your Pull Request (PR). Upon my initial review, I've observed that the unit tests comprehensively cover the entire image scan command.
However, there's a potential concern with testing in diverse environments, given that mock data might not precisely replicate real-world scenarios. To address this, I recommend focusing the unit tests specifically on a function designed to handle exceptions. Essentially, consider implementing a function like the following:
func ignoreVulnerabilities(imageVulnerabilities, exceptions) imageVulnerabilities {
// Implement logic to filter out vulnerabilities based on exceptions
// Return the list without the ignored vulnerabilities
}
Please accompany this with thorough unit tests incorporating various scenarios, such as those involving regular expressions (regex). Verify that the function effectively handles different types of mock vulnerabilities and exceptions.
Feel free to update the PR with this refined approach, ensuring the unit tests validate the functionality in a diverse set of circumstances. Thanks for your efforts, and let me know if you have any questions or need further clarification.
cmd/scan/image.go
Outdated
@@ -69,6 +75,8 @@ func getImageCmd(ks meta.IKubescape, scanInfo *cautils.ScanInfo) *cobra.Command | |||
}, | |||
} | |||
|
|||
// The exceptions flag | |||
cmd.PersistentFlags().StringVarP(&exceptions, "exceptions", "E", "", "Path to the exceptions file") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you please remove the short flag E
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure thing
@dwertent, thank you very much for reviewing the code. I'll update it shortly to ensure that the tests can replicate real-world scenarios and verify that the code functions as intended. I appreciate these suggestions. |
This commit introduces the "exceptions" flag in the scan image command. Users can pass a list of vulnerabilities they ignore while scanning an image using this flag. Also added tests for the same. Fixes: kubescape#1564 Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
Added initial commit to start loading image exceptions from json files. Currently, it supports vulnerability exceptions using their CVE-IDs. Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
This commit add relevant functions to support severity exceptions during image scan. Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
This commit introduces the ability to specify targets in image exceptions. Each target will have the following 4 attributes: 1. Registry 2. Organization 3. ImageName 4. ImageTag These attributes will be used to match against the canonical image name of the image to be scanned. The vulnerabilites and the severities specified in the VulnerabilitiesIgnorePolicy object will be considered only if the image to be scanned matches the targets specified for that policy. Regular expressions can also be used to specify the image attributes. Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
Signed-off-by: VaibhavMalik4187 <vaibhavmalik2018@gmail.com>
ca689af
to
8c5a583
Compare
@dwertent I've refactored the code and added more comprehensive tests. Could you please have another look at this PR whenever you have some spare time? Thanks! |
Thank you! |
Overview
This commit introduces the "exceptions" flag in the scan image command. Users can pass a list of vulnerabilities they ignore while scanning an image using this flag.
Fixes: #1564
How to Test
kubescape scan image <imageName>
kubescape scan image <imageName> -E <comma separated list of exceptions, e.g: CVE-2023-6879,CVE-2023-45853>
Screenshots