github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/contrib/example_policy/advanced.rego

github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/contrib/example_policy/advanced.rego (about)

     1  package trivy
     2  
     3  import data.lib.trivy
     4  
     5  default ignore = false
     6  
     7  nvd_v3_vector = v {
     8  	v := input.CVSS.nvd.V3Vector
     9  }
    10  
    11  redhat_v3_vector = v {
    12  	v := input.CVSS.redhat.V3Vector
    13  }
    14  
    15  # Ignore a vulnerability which requires high privilege
    16  ignore {
    17  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    18  	nvd_cvss_vector.PrivilegesRequired == "High"
    19  
    20          # Check against RedHat scores as well as NVD
    21  	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
    22  	redhat_cvss_vector.PrivilegesRequired == "High"
    23  }
    24  
    25  # Ignore a vulnerability which requires user interaction
    26  ignore {
    27  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    28  	nvd_cvss_vector.UserInteraction == "Required"
    29  
    30          # Check against RedHat scores as well as NVD
    31  	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
    32  	redhat_cvss_vector.UserInteraction == "Required"
    33  }
    34  
    35  ignore {
    36  	input.PkgName == "openssl"
    37  
    38  	# Split CVSSv3 vector
    39  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    40  
    41  	# Evaluate Attack Vector
    42  	ignore_attack_vectors := {"Physical", "Local"}
    43  	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
    44  }
    45  
    46  ignore {
    47  	input.PkgName == "openssl"
    48  
    49  	# Evaluate severity
    50  	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
    51  
    52  	# Evaluate CWE-ID
    53  	deny_cwe_ids := {
    54  		"CWE-119", # Improper Restriction of Operations within the Bounds of a Memory Buffer
    55  		"CWE-200", # Exposure of Sensitive Information to an Unauthorized Actor
    56  	}
    57  
    58  	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
    59  }
    60  
    61  ignore {
    62  	input.PkgName == "bash"
    63  
    64  	# Split CVSSv3 vector
    65  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    66  
    67  	# Evaluate Attack Vector
    68  	ignore_attack_vectors := {"Physical", "Local", "Adjacent"}
    69  	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
    70  
    71  	# Evaluate severity
    72  	input.Severity == {"LOW", "MEDIUM", "HIGH"}[_]
    73  }
    74  
    75  ignore {
    76  	input.PkgName == "django"
    77  
    78  	# Split CVSSv3 vector
    79  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    80  
    81  	# Evaluate Attack Vector
    82  	ignore_attack_vectors := {"Physical", "Local"}
    83  	nvd_cvss_vector.AttackVector == ignore_attack_vectors[_]
    84  
    85  	# Evaluate severity
    86  	input.Severity == {"LOW", "MEDIUM"}[_]
    87  
    88  	# Evaluate CWE-ID
    89  	deny_cwe_ids := {
    90  		"CWE-89", # SQL Injection
    91  		"CWE-78", # OS Command Injection
    92  	}
    93  
    94  	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
    95  }
    96  
    97  ignore {
    98  	input.PkgName == "jquery"
    99  
   100  	# Split CVSSv3 vector
   101  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
   102  
   103  	# Evaluate CWE-ID
   104  	deny_cwe_ids := {"CWE-79"} # XSS
   105  	count({x | x := input.CweIDs[_]; x == deny_cwe_ids[_]}) == 0
   106  }