canonical · merkata · Nov 27, 2023 · Oct 30, 2023 · Oct 30, 2023 · Oct 31, 2023
diff --git a/.github/workflows/autoremove_trivyignore.yaml b/.github/workflows/autoremove_trivyignore.yaml
@@ -0,0 +1,57 @@
+# Copyright 2023 Canonical Ltd.
+# See LICENSE file for licensing details.
+
+name: Auto-remove ignored CVEs
+on:
+  workflow_call:
+
+jobs:
+  update-lib:
+    permissions:
+      id-token: write  # Enable OIDC
+      pull-requests: write
+      contents: write
+    name: Autoremove ignored CVEs
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/[email protected]
+        with:
+          fetch-depth: 0
+      - name: Check trivyignore
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.18.3
+          if [ -f ".trivyignore" ]
+          then
+            output=$(trivy fs . -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found")
+            newTrivyIgnore=()
+            for CVE in $(cat .trivyignore)
+            do
+              if [[ "$output" != *"$CVE"* ]]
+              then
+                echo "$CVE not present anymore, moving out of trivyignore file"
+                newTrivyIgnore+=( $CVE )
+              else
+                echo "$CVE still present"
+              fi
+            done
+            echo "Removing entries from trivyignore"
+            for IgnoredCVE in ${newTrivyIgnore[@]}
+            do
+              sed -i "/$IgnoredCVE/d" .trivyignore
+            done
+          fi
+      - name: Create pull request
+        uses: canonical/create-pull-request@main
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore: auto-remove ignored CVEs"
+          branch-name: "chore/autoremove-cves"
+          title: Auto-remote ignored CVEs
+          body: |
+            Automated action to remove ignored CVEs that are fixed.
+            The branch of this PR will be wiped during the next check.
+            Unless you really know what you're doing, you most likely don't want
+            to push any commits to this branch.
+          upsert: true
+          ignore-no-changes: true
@@ -89,6 +89,8 @@ jobs:
         path: ${{ fromJSON(needs.get-rocks.outputs.rock-paths) }}
     steps:
       - uses: actions/[email protected]
+        with:
+          fetch-depth: 0
       - name: Extract rock information
         run: |
           IMAGE_NAME=$(yq '.name' "${{ matrix.path }}/rockcraft.yaml")
@@ -224,3 +226,23 @@ jobs:
         env:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check trivyignore
+        run: |
+          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.46.0
+          if [ -f ".trivyignore" ]
+          then
+            output=$(trivy image $ROCK_IMAGE --severity HIGH,CRITICAL -q -f json --ignorefile "" | jq -r '.Results[].Vulnerabilities[].VulnerabilityID' 2>/dev/null || echo "No vulnerabilities found")
+            line=0
+            while read CVE;
+            do
+              line=$(( line + 1 ))
+              if [[ "$output" != *"$CVE"* ]] && [[ ! "$CVE" =~ ^#.* ]]
+              then
+              echo "::notice file=.trivyignore,line=${line}::$CVE not present anymore, can be safely removed."
+              fi
+            done < .trivyignore
+          fi
+        env:
+          TRIVY_USERNAME: ${{ github.actor }}
+          TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+          ROCK_IMAGE: ${{ env.IMAGE_REF }}