0.69.0 breaks ignore rules and Aquatic website links

[acdha]

Description

Prior to 0.69.0, the check IDs were things like avd-aws-0053. Those are used in ignore rules and also in the links emitted by the scanner for each finding.

With 0.69.0, presumably due to the switch to the new checks bundle, all of the IDs changed to e.g. aws-0053. This causes all existing ignore rules to be ignored because the IDs don't match and also appears to have broken all of the links to avd.aquasec.com because the pages are still published under the old IDs. For example, Trivy 0.69.0 will link to https://avd.aquasec.com/misconfig/aws-0053, which returns a 404, rather than https://avd.aquasec.com/misconfig/avd-aws-0053

Desired Behavior

Ideally the old IDs would either continue working or Trivy would have an easy command-line option to migrate the ignores.

The report links should either be updated to use the old IDs or the pages republished/redirected on the avd.aquasec.com server.

Actual Behavior

Only the new IDs are used.

Reproduction Steps

I used the official containers to simplify reproduction:

podman run --rm -v (pwd):/code aquasec/trivy:0.69.0 config --misconfig-scanners terraform --severity HIGH,CRITICAL --tf-vars /code/development.tfvars /code

The Terraform code in question:

# trivy:ignore:aws-0053
resource "aws_alb" "public" {
  internal                   = false
  name                       = local.deployment_id
  security_groups            = [aws_security_group.lb.id]
  subnets                    = module.vpc.public_subnets
  drop_invalid_header_fields = true # Prevent request smuggling attacks
  enable_deletion_protection = true
}

Other resources covered by rules in a .trivyignore.yaml file were also affected.

Target

Filesystem

Scanner

Misconfiguration

Output Format

None

Mode

None

Debug Output

n/a

Operating System

macOS & Linux (Aquatic containers)

Version

0.69.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[nikpivkin]

Hi @acdha !

Thanks for the report

Track #10110

[simar7]

Release a new trivy-checks bundle which will mitigate this https://github.com/aquasecurity/trivy-checks/releases/tag/v2.1.1

[nikpivkin]

@acdha Do you mean the ignore rules in .trivyignore?

[talbx]

@nikpivkin the ignore rules in .trivyignore are broken as of now due to the missing AVD- prefix. Since it was fixed in trivy-checks bundle, when will there be a fix release for trivy?

[nikpivkin]

@talbx We will release a patch with a fix after merging one PR.

[nikpivkin]

Hi all, we’ve cut v0.69.1 with the fix

[acdha]

0.69.1 didn't change the need to rename the identifiers but that was a quick commit (perl -p -i -e 's|avd-aws-|AWS-|gi' **.tf .trivyignore*)