Skip to content

New xray_ignore_rule resources or changes to existing ones should take effect immediately #165

New issue
New issue
Open
Open
New xray_ignore_rule resources or changes to existing ones should take effect immediately#165
Assignees
chukka
Labels
enhancementNew feature or requeston holdNot decided whether we're doing it or not
@rorynickolls-skyral

Description

@rorynickolls-skyral
rorynickolls-skyral
opened on Mar 7, 2024

Is your feature request related to a problem? Please describe.

When creating or updating xray_ignore_rule Terraform resources, it does not appear to take effect immediately. Policy violations do not start showing as 'Ignored' in the Xray scans list until a scan is triggered manually through the UI.

Describe the solution you'd like

Having a manual step after creating rules defeats the purpose of managing them through Terraform - it would be ideal if changes to the Terraform-managed ignore rule took effect immediately without any intervention.

Describe alternatives you've considered

Alternatives are:

  • Continue manually triggering rescans.
  • Automatically trigger a rescan outside of the Terraform provider e.g. in our own CI pipeline.

Neither of which are great solutions!

Additional context

When creating a rule through the Artifactory UI, it appears to take effect immediately without triggering a scan. It is unclear how it does this, and whether there's an API request that can be made from the provider to make it happen.

Activity

rorynickolls-skyral
assigned
alexhung
on Mar 7, 2024
alexhung
added
enhancementNew feature or request
on Mar 7, 2024
alexhung

alexhung commented on Mar 7, 2024

@alexhung
alexhung
on Mar 7, 2024

@rorynickolls-skyral Thanks for the suggestion. I've added this to our road map.

yahesh

yahesh commented on Jul 22, 2024

@yahesh
yahesh
on Jul 22, 2024

@alexhung We ran into the same issue just recently. Are there any news on when this will be fixed?

alexhung

alexhung commented on Jul 22, 2024

@alexhung
alexhung
on Jul 22, 2024

@yahesh Unfortunately, no update so far. The REST APIs to initiate a scan are designed for specific artifact, build, etc., and does not necessary match the criteria in ignore rules. I haven't been able to come up with a good way to reconcile these differences yet.

Two alternatives:

  • Use the private web UI API, which may or may not be possible.
  • Make feature request to the Xray team to expose new public API for this purpose.
alexhung
added
on holdNot decided whether we're doing it or not
on Sep 17, 2024
sgsollie

sgsollie commented on Sep 25, 2024

@sgsollie
sgsollie
on Sep 25, 2024

Hey just adding my personal experiences here.
I've ran into this issue but also experienced some other, & from a user perspective slightly bizarre behaviour which I think is related.
We have policy to block downloads of all artefacts with critical vulnerabilities.

  1. Add ignore rule with terraform
  2. Find that the artifact with a critical vuln is still blocked & (policy violation) - with no ignore rule associated with it.
  3. Add a new ignore rule for that vulnerability in the UI (click on the violation > "Ignore Violation")
  4. Immediately delete that ignore rule in the UI
  5. Find that the policy violation still says "Ignored" BUT the associated ignore rule is now the terraform created rule!

I've been able to re-produce this pretty consistently

alexhung
assigned
chukka
on Jan 31, 2025
alexhung
removed their assignment
on Mar 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

enhancementNew feature or requeston holdNot decided whether we're doing it or not

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    No branches or pull requests

      Participants

      @alexhung@yahesh@chukka@sgsollie@rorynickolls-skyral

      Issue actions
        New `xray_ignore_rule` resources or changes to existing ones should take effect immediately · Issue #165 · jfrog/terraform-provider-xray