From 74c246ddf941281a436f457571079392d6933eb8 Mon Sep 17 00:00:00 2001
From: Stephan Renatus <stephan.renatus@gmail.com>
Date: Mon, 11 Jul 2022 09:35:01 +0200
Subject: [PATCH 1/2] ci: don't run trivy per PR

This is breaking contributions when there is something new in trivy's
databases. That's unfortunate, and will be turned off by this commit.

We're still running the checks nightly, and that's good enough for raising the
maintainers' attention.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
---
 .github/workflows/vuln-scans.yaml | 43 -------------------------------
 1 file changed, 43 deletions(-)
 delete mode 100644 .github/workflows/vuln-scans.yaml

diff --git a/.github/workflows/vuln-scans.yaml b/.github/workflows/vuln-scans.yaml
deleted file mode 100644
index c8498da8a0..0000000000
--- a/.github/workflows/vuln-scans.yaml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Vulnerability scans
-on:
-  workflow_dispatch: {}   # Allow for manual triggers
-  pull_request:
-
-jobs:
-  trivy-scan:
-    name: Trivy security scan
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      # Equivalent to:
-      # $ trivy fs .
-      - name: Run Trivy scan on repo
-        uses: aquasecurity/trivy-action@0.5.1
-        with:
-          scan-type: fs
-          format: table
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: CRITICAL,HIGH
-
-      - name: Build image
-        run: |
-          make image
-
-      - name: Get tag
-        id: tag
-        run: echo "::set-output name=TAG::$(./build/get-build-version.sh)"
-
-      # Equivalent to:
-      # $ trivy image $IMAGE
-      - name: Run Trivy scan on image
-        uses: aquasecurity/trivy-action@0.5.1
-        with:
-          image-ref: 'openpolicyagent/opa:${{ steps.tag.outputs.TAG }}'
-          format: table
-          exit-code: '1'
-          ignore-unfixed: true
-          vuln-type: os,library
-          severity: CRITICAL,HIGH

From c86e80568a8d64a540a0d673b6a2a6c3458f775e Mon Sep 17 00:00:00 2001
From: Stephan Renatus <stephan.renatus@gmail.com>
Date: Mon, 11 Jul 2022 09:37:01 +0200
Subject: [PATCH 2/2] .trivyignore: add CVE-2022-1996

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
---
 .trivyignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index c2003561ba..553a6df0c4 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -11,3 +11,6 @@ CVE-2018-1098
 CVE-2019-11253
 CVE-2020-8558
 CVE-2021-25741
+
+# * github.com/emicklei/go-restful - we don't use its code in our handlers
+CVE-2022-1996