Non existing --ignorefile breaks pipelines

[EdKingscote]

Description

We use --ignorefile ./.trivyignore.yaml in our common pipeline definition file in Gitlab as this is the only way of selecting the YAML format (we like the statements), however since the commit for #7624 landed in 0.57, things break horribly when this file is missing.

Print a warning (including if the file is empty!) by all means, but this significant breaking change stops all of our CI where the ignore file isn't necessary (yet).

This is happening for both fs and image scans at least.

Desired Behavior

Print a warning, don't just break every pipeline out there!

Actual Behavior

2024-11-01T21:17:09Z FATAL Fatal error filter error: filtering error: ./.trivyignore.yaml error: ./.trivyignore.yaml parse error: yaml decode error: EOF

Reproduction Steps

1.
2.
3.
...

Target

None

Scanner

Vulnerability

Output Format

None

Mode

Standalone

Debug Output

-

Operating System

aquasecurity Docker Container

Version

$ trivy --version
Version: 0.57.0

Checklist

• Run trivy clean --all
• Read the troubleshooting

[simar7]

Are you able to fill out the reproduction steps section above? I'm not seeing this on my end

trivy config --ignorefile ./invalid.file  /tmp 
2024-11-01T16:13:52-06:00       FATAL   Fatal error     flag error: report flag error: ignore file not found: ./invalid.file

Which is correct behavior.

[simar7]

If I have an existing file which is empty (or any invalid yaml), the behavior is the following, which is what you have.

$ touch invalid-file.yaml
$ ./trivy config --ignorefile ./invalid-file.yaml  /tmp
2024-11-01T16:15:15-06:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-01T16:15:15-06:00       INFO    Detected config files   num=0
2024-11-01T16:15:15-06:00       FATAL   Fatal error     filter error: filtering error: ./invalid-file.yaml error: ./invalid-file.yaml parse error: yaml decode error: EOF

This is also expected.

[EdKingscote]

Apologies, I copied/pasted the wrong error message....but a code repository or image isn't guaranteed to need any exceptions defined at all - there are things we build day in, day out that are squeaky clean....and now I have to write shell scripting in my pipeline to detect the presence of the file and/or the file being empty and then adjust the way I run trivy via the CLI all of a sudden...

This should have been listed as a BREAKING change...especially being quietly released on a Friday....and not respecting --exit-code 0 either....

As I stated - spit out a warning by all means, but don't tank a pipeline because folks are doing the right things with their security posture and don't actually need to define exceptions.

[knqyf263]

We thought the original behavior was incorrect and a sort of bug. We did not anticipate that some users would rely on this wrong behavior and did not list it as a breaking change, but as you pointed out, it could affect the pipeline. Therefore, we have updated the release notes. Thanks for the feedback.

[itaysk]

N.B I think an empty file is valid YAML

[EdKingscote]

This is still highly problematic, empty YAML files throw an error, and the docs for 0.57 state:

Since this feature is experimental, you must explicitly specify the YAML file path using the --ignorefile flag. Once this functionality is stable, the YAML file will be loaded automatically.

Maybe making trivy automatically search for YAML files so this flag is obviated is the real answer??....I shouldn't need to write lots of extra logic in all of my pipelines to handle this surely?

[simar7]

OK Fair enough - track #7934