fix(scheduler): ignore OTel security issue in scheduler (#2364)

Signed-off-by: odubajDT <ondrej.dubaj@dynatrace.com>
keptn · Oct 30, 2023 · a10594f · a10594f
1 parent 76ed884
commit a10594f
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/.github/workflows/security-scans.yml b/.github/workflows/security-scans.yml
@@ -200,6 +200,12 @@ jobs:
           - "scheduler"
           - "certificate-operator"
     steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          submodules: 'true'
+
       - name: Download images
         id: download_images
         uses: actions/download-artifact@v3
@@ -213,6 +219,7 @@ jobs:
           input: "images/${{ matrix.image }}-image.tar/${{ matrix.image }}-image.tar"
           severity: 'CRITICAL,HIGH'
           exit-code: '1'
+          trivyignores: .trivyignore
 
   govulncheck:
     name: Govulncheck

diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,7 @@
+# DoS vulnerability in otelhttp in scheduler
+# The scheduler uses an old version of k8s,
+# what forces us to use an older version of OTel
+# which has the vulnerability.
+# As the scheduler will be removed soon, there is no need
+# to invest time to fix it.
+CVE-2023-45142