|
| 1 | +package com.cloudogu.ces.cesbuildlib |
| 2 | + |
| 3 | +class Trivy implements Serializable { |
| 4 | + def script |
| 5 | + String trivyReportFilename |
| 6 | + |
| 7 | + Trivy(script, String trivyReportFilename = "${env.WORKSPACE}/.trivy/trivyReport.json") { |
| 8 | + this.script = script |
| 9 | + this.trivyReportFilename = trivyReportFilename |
| 10 | + } |
| 11 | + |
| 12 | + /** |
| 13 | + * Scans an image for vulnerabilities. |
| 14 | + * Notes: |
| 15 | + * - Use a .trivyignore file for allowed CVEs |
| 16 | + * - This function will generate a JSON formatted report file which can be converted to other formats via saveFormattedTrivyReport() |
| 17 | + * - Evaluate via exit codes: 0 = no vulnerability; 1 = vulnerabilities found; other = function call failed |
| 18 | + * |
| 19 | + * @param imageName The image name; may include version tag |
| 20 | + * @param trivyVersion The version of Trivy used for scanning |
| 21 | + * @param additionalFlags Additional Trivy command flags |
| 22 | + * @param scanLevel The vulnerability level to scan. Can be a member of TrivyScanLevel or a custom String (e.g. 'CRITICAL,LOW') |
| 23 | + * @param strategy The strategy to follow after the scan. Should the build become unstable or failed? Or Should any vulnerability be ignored? (@see TrivyScanStrategy) |
| 24 | + * // TODO: A strategy could be implemented by the user via the exit codes of this function. Should we remove the strategy parameter? |
| 25 | + * @return Returns 0 if the scan was ok (no vulnerability found); returns 1 if any vulnerability was found |
| 26 | + */ |
| 27 | + int scanImage(String imageName, String trivyVersion = "0.57.0", String additionalFlags, String scanLevel = TrivyScanLevel.CRITICAL, String strategy = TrivyScanStrategy.FAIL) { |
| 28 | + // TODO: Run trivy scan inside Docker container, e.g. via Jenkins' Docker.image() function |
| 29 | + // See runTrivyInDocker function: https://github.com/cloudogu/ces-build-lib/blob/c48273409f8f506e31872fe2857650bbfc76a222/vars/findVulnerabilitiesWithTrivy.groovy#L48 |
| 30 | + // TODO: Write result to trivyReportFile in json format (--format json), which can be converted in the saveFormattedTrivyReport function |
| 31 | + // TODO: Include .trivyignore file, if existent. Do not fail if .trivyignore file does not exist. |
| 32 | + } |
| 33 | + |
| 34 | + /** |
| 35 | + * Save the Trivy scan results as a file with a specific format |
| 36 | + * |
| 37 | + * @param format The format of the output file (@see TrivyScanFormat) |
| 38 | + */ |
| 39 | + void saveFormattedTrivyReport(String format = TrivyScanFormat.HTML) { |
| 40 | + // TODO: DO NOT scan again! Take the trivyReportFile and convert its content |
| 41 | + // See https://aquasecurity.github.io/trivy/v0.52/docs/references/configuration/cli/trivy_convert/ |
| 42 | + } |
| 43 | + |
| 44 | +} |
0 commit comments