github.com/devseccon/trivy@v0.47.1-0.20231123133102-bd902a0bd996/contrib/example_policy/basic.rego (about)

     1  package trivy
     2  
     3  import data.lib.trivy
     4  
     5  default ignore = false
     6  
     7  ignore_pkgs := {"bash", "bind-license", "rpm", "vim", "vim-minimal"}
     8  
     9  ignore_severities := {"LOW", "MEDIUM"}
    10  
    11  nvd_v3_vector = v {
    12  	v := input.CVSS.nvd.V3Vector
    13  }
    14  
    15  redhat_v3_vector = v {
    16  	v := input.CVSS.redhat.V3Vector
    17  }
    18  
    19  ignore {
    20  	input.PkgName == ignore_pkgs[_]
    21  }
    22  
    23  ignore {
    24  	input.Severity == ignore_severities[_]
    25  }
    26  
    27  # Ignore a vulnerability which is not remotely exploitable
    28  ignore {
    29  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    30  	nvd_cvss_vector.AttackVector != "Network"
    31  
    32  	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
    33  	redhat_cvss_vector.AttackVector != "Network"
    34  }
    35  
    36  # Ignore a vulnerability which requires high privilege
    37  ignore {
    38  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    39  	nvd_cvss_vector.PrivilegesRequired == "High"
    40  
    41  	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
    42  	redhat_cvss_vector.PrivilegesRequired == "High"
    43  }
    44  
    45  # Ignore a vulnerability which requires user interaction
    46  ignore {
    47  	nvd_cvss_vector := trivy.parse_cvss_vector_v3(nvd_v3_vector)
    48  	nvd_cvss_vector.UserInteraction == "Required"
    49  
    50  	redhat_cvss_vector := trivy.parse_cvss_vector_v3(redhat_v3_vector)
    51  	redhat_cvss_vector.UserInteraction == "Required"
    52  }
    53  
    54  # Ignore CSRF
    55  ignore {
    56  	# https://cwe.mitre.org/data/definitions/352.html
    57  	input.CweIDs[_] == "CWE-352"
    58  }