From 790c557625d97aa97141ba62d6720e3dcaa034de Mon Sep 17 00:00:00 2001
From: Robert Auer <robert.auer@cloudogu.com>
Date: Thu, 19 Dec 2024 09:43:05 +0100
Subject: [PATCH] Select specific severity levels in formatted report; #136

---
 README.md                                     | 15 ++++++++++++---
 src/com/cloudogu/ces/cesbuildlib/Trivy.groovy | 12 ++++++++++--
 2 files changed, 22 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 92dbb9f..e00962f 100644
--- a/README.md
+++ b/README.md
@@ -1317,7 +1317,7 @@ Trivy trivy = new Trivy(this)
 trivy.scanImage("ubuntu:20.04", TrivySeverityLevel.ALL, TrivyScanStrategy.UNSTABLE, "", "trivy/ubuntu20.json")
 trivy.scanImage("ubuntu:24.04", TrivySeverityLevel.ALL, TrivyScanStrategy.UNSTABLE, "", "trivy/ubuntu24.json")
 // Save report by using the same file name (last parameter)
-trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML, "ubuntu20.04report", "trivy/ubuntu20.json")
+trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML, "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "ubuntu20.04report", "trivy/ubuntu20.json")
 ```
 
 ## Save Trivy report in another file format
@@ -1332,13 +1332,22 @@ trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON)
 trivy.saveFormattedTrivyReport(TrivyScanFormat.HTML)
 ```
 
+You may filter the output to show only specific severity levels (default: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"):
+
+```groovy
+Trivy trivy = new Trivy(this)
+trivy.scanImage("ubuntu:24.04")
+trivy.saveFormattedTrivyReport(TrivyScanFormat.TABLE, "CRITICAL")
+trivy.saveFormattedTrivyReport(TrivyScanFormat.JSON, "UNKNOWN,LOW,MEDIUM")
+```
+
 You may also use any other supported [Trivy format](https://trivy.dev/v0.57/docs/references/configuration/cli/trivy_convert/) or a custom template from a file in your workspace.
 
 ```groovy
 Trivy trivy = new Trivy(this)
 trivy.scanImage("ubuntu:24.04")
-trivy.saveFormattedTrivyReport("cosign-vuln", "ubuntu24.04cosign.txt")
-trivy.saveFormattedTrivyReport("template --template @myTemplateFile.xyz", "ubuntu24.04myTemplate.txt")
+trivy.saveFormattedTrivyReport("cosign-vuln", "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "ubuntu24.04cosign.txt")
+trivy.saveFormattedTrivyReport("template --template @myTemplateFile.xyz", "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "ubuntu24.04myTemplate.txt")
 ```
 
 ## Scan Dogu image with Trivy
diff --git a/src/com/cloudogu/ces/cesbuildlib/Trivy.groovy b/src/com/cloudogu/ces/cesbuildlib/Trivy.groovy
index efe7ca9..c219a98 100644
--- a/src/com/cloudogu/ces/cesbuildlib/Trivy.groovy
+++ b/src/com/cloudogu/ces/cesbuildlib/Trivy.groovy
@@ -101,11 +101,13 @@ class Trivy implements Serializable {
      * Save the Trivy scan results as a file with a specific format
      *
      * @param format The format of the output file (@see TrivyScanFormat)
+     * @param severity Severities of security issues to be added (taken from UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
      * @param formattedTrivyReportFilename The file name your report files should get, without file extension. E.g. "ubuntu24report"
      * @param trivyReportFile The "trivyReportFile" parameter you used in the "scanImage" function, if it was set
      */
-    void saveFormattedTrivyReport(String format = TrivyScanFormat.HTML, String formattedTrivyReportFilename = "formattedTrivyReport.txt", String trivyReportFile = "trivy/trivyReport.json") {
+    void saveFormattedTrivyReport(String format = TrivyScanFormat.HTML, String severity = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", String formattedTrivyReportFilename = "formattedTrivyReport.txt", String trivyReportFile = "trivy/trivyReport.json") {
         String formatString
+        String defaultSeverityLevels = "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
         String defaultFilename = "formattedTrivyReport.txt"
         switch (format) {
             case TrivyScanFormat.HTML:
@@ -142,9 +144,15 @@ class Trivy implements Serializable {
                     return
                 }
         }
+        // Validate severity input parameter to prevent injection of additional parameters
+        if (severity != defaultSeverityLevels) {
+            if (!severity.split(',').every { it.trim() in ["UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL"] }) {
+                script.error("The severity levels provided ($severity) do not match the applicable levels (UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL).")
+            }
+        }
         docker.image("${trivyImage}:${trivyVersion}")
             .inside("-v ${script.env.WORKSPACE}/.trivy/.cache:/root/.cache/") {
-                script.sh(script: "trivy convert --format ${formatString} --output ${trivyDirectory}/${formattedTrivyReportFilename} ${trivyReportFile}")
+                script.sh(script: "trivy convert --format ${formatString} --severity ${severity} --output ${trivyDirectory}/${formattedTrivyReportFilename} ${trivyReportFile}")
             }
         script.archiveArtifacts artifacts: "${trivyDirectory}/${formattedTrivyReportFilename}.*", allowEmptyArchive: true
     }