feat(misconf): Support --ignore-policy in config scans

Signed-off-by: Simar <simar@linux.com>

pkg/commands/app.go

@@ -622,7 +622,6 @@ func NewServerCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 func NewConfigCommand(globalFlags *flag.GlobalFlagGroup) *cobra.Command {
 	reportFlagGroup := flag.NewReportFlagGroup()
 	reportFlagGroup.DependencyTree = nil // disable '--dependency-tree'
-	reportFlagGroup.IgnorePolicy = nil   // disable '--ignore-policy'
 	reportFlagGroup.ListAllPkgs = nil    // disable '--list-all-pkgs'
 	reportFlagGroup.ExitOnEOL = nil      // disable '--exit-on-eol'
 	reportFormat := flag.ReportFormatFlag

pkg/flag/misconf_flags.go

@@ -76,6 +76,7 @@ type MisconfFlagGroup struct {
 	PolicyBundleRepository *Flag
 
 	// Values Files
+	IgnorePolicy               *Flag
 	HelmValues                 *Flag
 	HelmValueFiles             *Flag
 	HelmFileValues             *Flag
@@ -90,6 +91,7 @@ type MisconfOptions struct {
 	PolicyBundleRepository string
 
 	// Values Files
+	IgnorePolicy        string
 	HelmValues          []string
 	HelmValueFiles      []string
 	HelmFileValues      []string
@@ -122,6 +124,7 @@ func (f *MisconfFlagGroup) Flags() []*Flag {
 		f.IncludeNonFailures,
 		f.ResetPolicyBundle,
 		f.PolicyBundleRepository,
+		f.IgnorePolicy,
 		f.HelmValues,
 		f.HelmValueFiles,
 		f.HelmFileValues,
@@ -136,6 +139,7 @@ func (f *MisconfFlagGroup) ToOptions() (MisconfOptions, error) {
 		IncludeNonFailures:     getBool(f.IncludeNonFailures),
 		ResetPolicyBundle:      getBool(f.ResetPolicyBundle),
 		PolicyBundleRepository: getString(f.PolicyBundleRepository),
+		IgnorePolicy:           getString(f.IgnorePolicy),
 		HelmValues:             getStringSlice(f.HelmValues),
 		HelmValueFiles:         getStringSlice(f.HelmValueFiles),
 		HelmFileValues:         getStringSlice(f.HelmFileValues),

pkg/flag/options.go

@@ -153,7 +153,7 @@ func (o *Options) FilterOpts() result.FilterOption {
 		IgnoreStatuses:     o.IgnoreStatuses,
 		IncludeNonFailures: o.IncludeNonFailures,
 		IgnoreFile:         o.IgnoreFile,
-		PolicyFile:         o.IgnorePolicy,
+		PolicyFile:         o.ReportOptions.IgnorePolicy,
 		IgnoreLicenses:     o.IgnoredLicenses,
 		VEXPath:            o.VEXPath,
 	}

pkg/result/filter.go

@@ -75,12 +75,36 @@ func FilterResult(ctx context.Context, result *types.Result, ignoreConf IgnoreCo
 	sort.Sort(types.BySeverity(filteredVulns))
 
 	result.Vulnerabilities = filteredVulns
+	result.MisconfSummary = calcMisconfSummary(result, misconfSummary, filteredMisconfs)
 	result.Misconfigurations = filteredMisconfs
-	result.MisconfSummary = misconfSummary
 
 	return nil
 }
 
+func calcMisconfSummary(result *types.Result, misconfSummary *types.MisconfSummary, filteredMisconfs []types.DetectedMisconfiguration) *types.MisconfSummary {
+	if misconfSummary == nil {
+		return nil
+	}
+
+	var failed, passed int
+	for _, rm := range result.Misconfigurations {
+		switch rm.Status {
+		case types.StatusPassed:
+			passed++
+		case types.StatusFailure:
+			failed++
+		}
+	}
+
+	if len(result.Misconfigurations)-len(filteredMisconfs) > 0 {
+		misconfSummary.Exceptions = len(result.Misconfigurations) - len(filteredMisconfs) - passed
+	} else {
+		misconfSummary.Exceptions = 0
+	}
+
+	return misconfSummary
+}
+
 // filterByVEX determines whether a detected vulnerability should be filtered out based on the provided VEX document.
 // If the VEX document is not nil and the vulnerability is either not affected or fixed according to the VEX statement,
 // the vulnerability is filtered out.

pkg/result/filter_test.go

@@ -584,7 +584,7 @@ func TestFilter(t *testing.T) {
 						MisconfSummary: &types.MisconfSummary{
 							Successes:  0,
 							Failures:   1,
-							Exceptions: 0,
+							Exceptions: 2,
 						},
 						Misconfigurations: []types.DetectedMisconfiguration{
 							{
@@ -685,6 +685,66 @@ func TestFilter(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "ignore file for misconf",
+			args: args{
+				report: types.Report{
+					Results: types.Results{
+						{
+							Misconfigurations: []types.DetectedMisconfiguration{
+								{
+									ID:          "AVD-TEST-0001",
+									AVDID:       "AVD-TEST-0001",
+									Title:       "test-0001",
+									Description: "foo",
+									Severity:    dbTypes.SeverityHigh.String(),
+									Status:      types.StatusFailure,
+								},
+								{ // this misconf is ignored
+									ID:          "AVD-TEST-0002",
+									AVDID:       "AVD-TEST-0002",
+									Title:       "test-0002",
+									Description: "bar",
+									Severity:    dbTypes.SeverityHigh.String(),
+									Status:      types.StatusPassed,
+								},
+								{ // this misconf is ignored
+									ID:          "AVD-TEST-0003",
+									AVDID:       "AVD-TEST-0003",
+									Title:       "test-0003",
+									Description: "baz",
+									Severity:    dbTypes.SeverityHigh.String(),
+									Status:      types.StatusFailure,
+								},
+							},
+						},
+					},
+				},
+				severities: []dbTypes.Severity{dbTypes.SeverityHigh},
+				policyFile: "./testdata/test-ignore-policy-misconf.rego",
+			},
+			want: types.Report{
+				Results: types.Results{
+					{
+						MisconfSummary: &types.MisconfSummary{
+							Successes:  1,
+							Failures:   2,
+							Exceptions: 1,
+						},
+						Misconfigurations: []types.DetectedMisconfiguration{
+							{
+								ID:          "AVD-TEST-0001",
+								AVDID:       "AVD-TEST-0001",
+								Title:       "test-0001",
+								Description: "foo",
+								Severity:    dbTypes.SeverityHigh.String(),
+								Status:      types.StatusFailure,
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "happy path with duplicates, one with empty fixed version",
 			args: args{

pkg/result/testdata/test-ignore-policy-misconf.rego

@@ -0,0 +1,9 @@
+package trivy
+
+import data.lib.trivy
+
+default ignore=false
+
+ignore {
+	input.AVDID != "AVD-TEST-0001"
+}