fix(images): address all CVEs in images

commit: 7a848bc8c97f247ada908cfa629518d3e449ddd6 [log] [tgz]
author: Mohammed Naser <mnaser@vexxhost.com> Mon Jan 22 21:58:11 2024 -0500
committer: Mohammed Naser <mnaser@vexxhost.com> Mon Jan 22 21:58:11 2024 -0500
tree: 619a4c534cb3fd17a2ba511e67aa23f2139a75a7
parent: 5beb5ef6acd8d018135943b8def8fdffceae91e9 [diff]
diff --git a/images/trivy/.trivyignore b/images/trivy/.trivyignore
new file mode 100644
index 0000000..5057f16
--- /dev/null
+++ b/images/trivy/.trivyignore

@@ -0,0 +1,17 @@
+# NOTE(mnaser): OpenStack used to be versioned based on years and Trivy gets
+#               confused since something like 2014.1.3 > 23.0.1.dev6 therefore
+#               we ignore those old CVEs.
+CVE-2012-3542
+CVE-2012-4413
+CVE-2013-2256
+CVE-2013-4179
+CVE-2014-3517
+CVE-2014-3608
+CVE-2014-3641
+CVE-2014-3708
+CVE-2015-0259
+CVE-2015-3221
+CVE-2015-3280
+CVE-2015-5251
+CVE-2015-5286
+CVE-2015-7713

diff --git a/images/trivy/Earthfile b/images/trivy/Earthfile
new file mode 100644
index 0000000..8f68625
--- /dev/null
+++ b/images/trivy/Earthfile

@@ -0,0 +1,8 @@
+VERSION 0.7
+
+image:
+  FROM aquasec/trivy:0.48.3
+  COPY .trivyignore /.trivyignore
+  # TODO(mnaser): Add automatic updates
+  RUN trivy image --download-db-only
+  RUN trivy image --download-java-db-only
commit	7a848bc8c97f247ada908cfa629518d3e449ddd6	[log] [tgz]
author	Mohammed Naser <mnaser@vexxhost.com>	Mon Jan 22 21:58:11 2024 -0500
committer	Mohammed Naser <mnaser@vexxhost.com>	Mon Jan 22 21:58:11 2024 -0500
tree	619a4c534cb3fd17a2ba511e67aa23f2139a75a7
parent	5beb5ef6acd8d018135943b8def8fdffceae91e9 [diff]