add .trivyignore file to ignore false positive CVEs

NASA-AMMOS · Sep 5, 2024 · 7426137 · 7426137
1 parent 9d2cd88
commit 7426137
Show file tree

Hide file tree

Showing 5 changed files with 25 additions and 6 deletions.
diff --git a/.github/scripts/compareDatabasesUp.sh b/.github/scripts/compareDatabasesUp.sh
@@ -3,10 +3,10 @@
 mkdir results
 mkdir comparison
 
-PGCMPINPUT1=./pgdumpmigrated/AerieMigrated \
-PGCMPINPUT2=./pgdumpraw/AerieRaw \
-PGCLABEL1=AerieMigrated \
-PGCLABEL2=AerieRaw \
+PGCMPINPUT1=./pgdumpmigrated/AerieMigratedUp \
+PGCMPINPUT2=./pgdumpcurrent/AerieCurrent \
+PGCLABEL1=AerieMigratedUp \
+PGCLABEL2=AerieCurrent \
 PGCFULLOUTPUT=./comparison/fulloutput.txt \
 PGCUNEXPLAINED=./comparison/unexplained.txt \
 PGCBADEXPLAIN=./comparison/badexplanations.txt \

diff --git a/.github/workflows/pgcmp.yml b/.github/workflows/pgcmp.yml
@@ -5,10 +5,14 @@ on:
     paths:
       - "deployment/hasura/migrations/**"
       - "deployment/postgres-init-db/sql/**"
+      - ".github/workflows/pgcmp.yml"
+      - ".github/workflows/scripts/compareDatabases*"
   push:
     paths:
       - "deployment/hasura/migrations/**"
       - "deployment/postgres-init-db/sql/**"
+      - ".github/workflows/pgcmp.yml"
+      - ".github/workflows/scripts/compareDatabases*"
     branches:
       - develop
       - dev-[0-9]+.[0-9]+.[0-9]+

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -147,8 +147,10 @@ jobs:
       fail-fast: false
     name: scan ${{ matrix.image }}
     steps:
+      - uses: actions/checkout@v4
+
       - name: Scan ${{ matrix.image }} for vulnerabilities
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.24.0
         with:
           image-ref: ${{ env.REGISTRY }}/${{ env.OWNER }}/${{ matrix.image }}:develop
           ignore-unfixed: true
@@ -158,6 +160,7 @@ jobs:
           template: "@/contrib/html.tpl"
           scanners: "vuln"
           output: "${{ matrix.image }}-results.html"
+          trivyignores: .trivyignore
 
       - name: Upload ${{ matrix.image }} scan results
         if: always()

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,11 @@
+# List of CVEs to ignore in our security scans in Publish workflow
+# see https://aquasecurity.github.io/trivy/v0.53/docs/configuration/filtering/#trivyignore
+
+# These were determined to be false positives caused by the `gosu` library
+# which is installed by the postgres docker container and does not use the entirety of the Go stdlib
+# for details see:
+# - https://github.com/tianon/gosu/blob/master/SECURITY.md
+# - https://github.com/NASA-AMMOS/aerie/pull/1546
+CVE-2023-24538
+CVE-2023-24540
+CVE-2024-24790
diff --git a/deployment/hasura/migrations/Aerie/9_sequence_workspaces/up.sql b/deployment/hasura/migrations/Aerie/9_sequence_workspaces/up.sql
@@ -22,6 +22,7 @@ create table sequencing.workspace (
     on delete set null
 );
 
+
 comment on table sequencing.workspace is e''
   'A container for multiple sequences.';
 comment on column sequencing.workspace.name is e''
@@ -46,7 +47,7 @@ alter table sequencing.user_sequence
   add column workspace_id integer,
 
   add foreign key (workspace_id)
-    references sequencing.parcel (id)
+    references sequencing.workspace (id)
     on delete cascade;
 
 comment on column sequencing.user_sequence.workspace_id is e''