Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ignore (suppress) findings globally (system-wide) #3231

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

ignore (suppress) findings globally (system-wide) #3231

wants to merge 1 commit into from

Conversation

tomaszn
Copy link

@tomaszn tomaszn commented Nov 24, 2023

Description

This change implements a way to ignore security advisories (like CVE, GHSA) globally, system-wide. Vulnerabilities caused by advisories listed in the IGNORED_ADVISORIES environment variable will not be created at all.

Addressed Issue

This fixes #1495, which contains rationale behind this feature.

Additional Details

I solved the issue as simply as I found possible. I treat it more as a workaround for a critical shortage.

Checklist

  • I have read and understand the contributing guidelines
  • This PR fixes a defect, and I have provided tests to verify that the fix is effective
  • This PR implements an enhancement, and I have provided tests to verify that it works as intended
  • This PR introduces changes to the database model, and I have added corresponding update logic
  • This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

@tomaszn
Ignore (suppress) advisories globally, systemwide
e5ae8a6 
Advisories listed in `IGNORED_ADVISORIES` environment variable will not
trigger a vulnerability. This allows removing noise from disputed or
other invalid advisories. Configuration via an environment variable has
been chosen to allow versioning changes in a VCS like Git, when the
deployment configuration is versioned.

Signed-off-by: Tomasz Nowak <[email protected]>
@valentijnscholten
Copy link
Contributor

How practical is this? Seems like it needs a restart after setting or changing the list of ignored advisories (which ignore vulnerabilities).
Also my feeling is that when vulnerabilities are published, DT will quite quickly have these stored and applied to components. Setting the environment variable after that only prevents future assignment of the vulnerability, but will leave existing assignment behind (I think).

Would it work to have an ignore flag on a vulnerability in DT which can be set/unset via the UI and API. Additionaly an event (and/or scheduled task) that removes ignored vulnerabilities from components?

@nscuro
Copy link
Member

nscuro commented Nov 26, 2023

There is work underway here to address this feature with a more sustainable solution. Feedback much appreciated.

@tomaszn
Copy link
Author

tomaszn commented Nov 28, 2023
edited
Loading

@valentijnscholten, you are right, it has all these downsides. Yet worked for me for several months now.

It is quite practical, because with the deployment configuration versioned, this approach allows documenting and reviewing the changes via merge requests. With a simple switch in the UI widely accessible, beginning users could by mistake ignore the vulnerability globally, instead of suppressing it in the project. It would need a permission.

Maybe the whole suppression feature could be reused, not only for a switch as you suggest, but also for the rest of the analysis inputs. I can imagine that no value in the "project_id" database column would mean a global suppression. Definitely a better solution than mine.

And this use case is also covered by @nscuro's work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

system wide vulnerability management
3 participants
@tomaszn @valentijnscholten @nscuro