anchore-twistlock-results (Twistlock) - Stage Failure
Below are common reasons for Twistlock failures, along with their solutions.
False Positives
Problem
The Twistlock finding is a false positive.
Solution
Open a Mission DevOps help desk ticket to whitelist the finding: Pipeline Exception Request . Be sure to provide evidence that it is a false positive.
Unresolvable Findings
Problem
The finding is a true positive, but there is no current fix or the product team needs time to address the finding.
Solution
- Make a best-effort attempt to fix it. For example, update dependencies that have vulnerabilities to newer versions.
- If the vulnerability is absolutely not resolvable, request a temporary exception by opening a ticket in Mission DevOps's help desk: Pipeline Exception Request . Be sure to provide evidence of solutions attempted. Dependencies can be forced to specific versions or replaced with alternatives.
NOTE: Temporary exceptions are usually granted for 90 days. The pipeline will be blocked after the exception period.
Twistlock Base Image Issues
Problem
There are one or more Twistlock findings that do not arise from an application's source code. For instance, the CVE link looks like the following:
'link': 'https://access.redhat.com/security/cve/CVE-XXXX-XXXXX'
This means the vulnerabilities are likely OS-based, coming from the base image.
Solution
All findings from Iron Bank base images can and should be excluded. Request an exception Open a Mission DevOps ticket .
NOTES:
- In some instances, the base image exclusions are not being applied because the twistlock server is in the process of retrieving the latest scans for all images. If you have opened a ticket, please continue to re-run your twistlock scan job while waiting for an MDO engineer to pick up your issue. Additionally, Please check the Iron Bank for the latest image before opening a ticket for base image exclusions.
- Twistlock caps ironbank images at 2 tags per image. If your image is out of date by more than 2 tags, then the base image exclusions will no longer apply.
- Since CVEs are added / updated continuously, it is possible a base image will have new CVEs that VAT is not yet filtering out. VAT is updated nightly, so in this circumstance re-running the anchore-twistlock-results (Twistlock) may resolve the findings
Private Key File(s) Found
Problem
Twistlock has detected one or more private keys.
{'compliance': [{'cause': 'Found: '
'/app/node_modules/public-encrypt/test/test_key.pem, '
'/app/node_modules/public-encrypt/test/test_rsa_privkey.pem, '
'/app/node_modules/public-encrypt/test/test_rsa_privkey_encrypted.pem',Solution
Though this finding is a false positive, Mission DevOps cannot grant an exception due to a Twistlock limitation. The only way to resolve it is to manually remove the files from the image via the Dockerfile using RUN rm -f <path to keys>.
Example (using above finding):
RUN rm -f /app/node_modules/public-encrypt/test/test_key.pem \
/app/node_modules/public-encrypt/test/test_rsa_privkey.pem \
/app/node_modules/public-encrypt/test/test_rsa_privkey_encrypted.pemYou can also check in a .dockerignore file in the root of your project with the following:
**/*.key
**/*.pem400: No Registry Settings Specification Apply
Problem
The application has not been added in Twistlock.
__main__.InvalidTwistlockQuery: ('Request error, status code:', 400, '{"err":"no registry settings specification apply"}')
Solution
The container registry has not been added to Twistlock. Open a Pipeline Issues Mission DevOps ticket .