Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[#227] Migrate from tfsec to Trivy #262

Merged
merged 15 commits into from
Mar 7, 2024
Merged

[#227] Migrate from tfsec to Trivy #262

merged 15 commits into from
Mar 7, 2024

Conversation

nvminhtue
Copy link
Contributor

@nvminhtue nvminhtue commented Nov 22, 2023
edited
Loading

What happened 👀

Integrate Trivy that will replace the current tfsec

Insight 📝

  • Integrate the trivy config and replace all tfsec's ignorance.
  • Add generating project step and run trivy scanner on.
  • Remove Ros from reviewer

Proof Of Work 📹

Generate the completed AWS services locally and detect no HIGH or CRITICAL issues.
image

The example of a failure check without putting the trivy ignores
image

CI will be failed if the Trivy scan found any HIGH or CRITICAL severity
image

@nvminhtue nvminhtue self-assigned this Nov 22, 2023
@nvminhtue nvminhtue marked this pull request as ready for review November 27, 2023 02:47
@hoangmirs hoangmirs added this to the 2.3.0 milestone Nov 30, 2023
hoangmirs
hoangmirs reviewed Nov 30, 2023
View reviewed changes
Copy link
Collaborator

@hoangmirs hoangmirs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add some guidelines to run trivy on local?

templates/addons/aws/modules/iam_groups/main.tf Show resolved Hide resolved
trivy.yaml Outdated Show resolved Hide resolved
Nihisil
Nihisil reviewed Dec 1, 2023
View reviewed changes
trivy.yaml Outdated Show resolved Hide resolved
@nvminhtue nvminhtue force-pushed the feature/gh-227-migrate-from-tfsec-to-trivy branch from a50bbc2 to 60e3b42 Compare December 5, 2023 11:13
@Nihisil
Copy link
Contributor

Nihisil commented Dec 30, 2023
edited
Loading

@nvminhtue it looks like something is not working properly.

  1. I have generated new project from your branch
  2. Deleted few trivy:ignore lines there and there

When I'm running trivy locally I'm receiving exit error without any details:

$ trivy config .
2023-12-30T11:40:37.723+0700	INFO	Loaded trivy.yaml
2023-12-30T11:40:37.736+0700	INFO	Misconfiguration scanning is enabled
2023-12-30T11:40:38.522+0700	INFO	Detected config files: 13
exit 1

When trivy run on CI there are no errors at all, CI run is green:

Running Trivy with trivy.yaml config from:  trivy.yaml
2023-12-30T04:37:57.267Z	INFO	Loaded trivy.yaml
2023-12-30T04:37:57.276Z	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-12-30T04:37:57.276Z	WARN	"--dependency-tree" can be used only with "--format table".
[20](https://github.com/Nihisil/test-infra/actions/runs/7362083108/job/20040144448#step:6:21)23-12-30T04:37:57.283Z	INFO	Need to update DB
2023-12-30T04:37:57.283Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-30T04:37:57.283Z	INFO	Downloading DB...
32.83 MiB / 42.08 MiB [----------------------------------------------->_____________] 78.02% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 15.43 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 15.43 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 15.43 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 14.44 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 14.44 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 14.44 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [-------------------------------------------------] 100.00% 24.40 MiB p/s 1.9s2023-12-30T04:37:59.724Z	INFO	Vulnerability scanning is enabled
20[23](https://github.com/Nihisil/test-infra/actions/runs/7362083108/job/20040144448#step:6:24)-12-30T04:37:59.724Z	INFO	Secret scanning is enabled
2023-12-30T04:37:59.7[24](https://github.com/Nihisil/test-infra/actions/runs/7362083108/job/20040144448#step:6:25)Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-30T04:37:59.724Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-12-30T04:37:59.740Z	INFO	Number of language-specific files: 0

I expected to see errors locally and in CI for the blocks where I removed the ignore statements. Could you please help me figure out what's wrong with my tests?

@nvminhtue
Copy link
Contributor Author

@nvminhtue it looks like something is not working properly.

  1. I have generated new project from your branch
  2. Deleted few trivy:ignore lines there and there

When I'm running trivy locally I'm receiving exit error without any details:

$ trivy config .
2023-12-30T11:40:37.723+0700	INFO	Loaded trivy.yaml
2023-12-30T11:40:37.736+0700	INFO	Misconfiguration scanning is enabled
2023-12-30T11:40:38.522+0700	INFO	Detected config files: 13
exit 1

When trivy run on CI there are no errors at all, CI run is green:

Running Trivy with trivy.yaml config from:  trivy.yaml
2023-12-30T04:37:57.267Z	INFO	Loaded trivy.yaml
2023-12-30T04:37:57.276Z	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
2023-12-30T04:37:57.276Z	WARN	"--dependency-tree" can be used only with "--format table".
[20](https://github.com/Nihisil/test-infra/actions/runs/7362083108/job/20040144448#step:6:21)23-12-30T04:37:57.283Z	INFO	Need to update DB
2023-12-30T04:37:57.283Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2023-12-30T04:37:57.283Z	INFO	Downloading DB...
32.83 MiB / 42.08 MiB [----------------------------------------------->_____________] 78.02% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 15.43 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 15.43 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 15.43 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 14.44 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 14.44 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 14.44 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [-------------------------------------------------] 100.00% 24.40 MiB p/s 1.9s2023-12-30T04:37:59.724Z	INFO	Vulnerability scanning is enabled
20[23](https://github.com/Nihisil/test-infra/actions/runs/7362083108/job/20040144448#step:6:24)-12-30T04:37:59.724Z	INFO	Secret scanning is enabled
2023-12-30T04:37:59.7[24](https://github.com/Nihisil/test-infra/actions/runs/7362083108/job/20040144448#step:6:25)Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-12-30T04:37:59.724Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2023-12-30T04:37:59.740Z	INFO	Number of language-specific files: 0

I expected to see errors locally and in CI for the blocks where I removed the ignore statements. Could you please help me figure out what's wrong with my tests?

@Nihisil,
It actually generates the errors into the trivy-output.json file.
But it's a good catch, the CI never notices if there is any mis-configurated, updated the trivy config file in d5a52da and f6e6628

@Nihisil
Copy link
Contributor

Nihisil commented Jan 3, 2024
edited
Loading

@nvminhtue thank you. After your fix I can receive error on localhost, but CI is still the green.

Also I have deleted all trivy ignore lines, and it shows me only one error. Do we need to keep ignore lines in that case, or it is misconfiguration and it should show more errors?

And another issue is that it doesn't show where the error is, based on error message it is impossible to find out where the fix is required. Is it possible to adjust it to show file and line number?

local output:

2024-01-03T10:56:32.454+0700	INFO	Loaded trivy.yaml
2024-01-03T10:56:32.462+0700	INFO	Misconfiguration scanning is enabled
2024-01-03T10:56:35.821+0700	INFO	Detected config files: 26

 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Cluster does not have Deletion Protection enabled
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS clusters.

See https://avd.aquasec.com/misconfig/n/a
───────────────────────────────────────────────────────────────────────────────────────────────────────────


exit 1

CI output:

Running Trivy with trivy.yaml config from:  trivy.yaml
2024-01-03T03:57:34.451Z	INFO	Loaded trivy.yaml
2024-01-03T03:57:34.460Z	WARN	"--list-all-pkgs" cannot be used with "--format table". Try "--format json" or other formats.
2024-01-03T03:57:34.460Z	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
[20](https://github.com/Nihisil/test-infra/actions/runs/7393288283/job/20112986384#step:6:21)24-01-03T03:57:34.465Z	INFO	Need to update DB
2024-01-03T03:57:34.465Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-03T03:57:34.465Z	INFO	Downloading DB...
26.84 MiB / 42.08 MiB [-------------------------------------->______________________] 63.78% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 25.38 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 25.38 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 25.38 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 23.74 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 23.74 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 23.74 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [-------------------------------------------------] 100.00% 25.48 MiB p/s 1.9s2024-01-03T03:57:36.788Z	INFO	Vulnerability scanning is enabled
2024-01-03T03:57:36.788Z	INFO	Secret scanning is enabled
20[24](https://github.com/Nihisil/test-infra/actions/runs/7393288283/job/20112986384#step:6:25)-01-03T03:57:36.788Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-03T03:57:36.788Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2024-01-03T03:57:36.800Z	INFO	Number of language-specific files: 0

@nvminhtue
Copy link
Contributor Author

nvminhtue commented Jan 3, 2024
edited
Loading

@nvminhtue thank you. After your fix I can receive error on localhost, but CI is still the green.

Also I have deleted all trivy ignore lines, and it shows me only one error. Do we need to keep ignore lines in that case, or it is misconfiguration and it should show more errors?

And another issue is that it doesn't show where the error is, based on error message it is impossible to find out where the fix is required. Is it possible to adjust it to show file and line number?

local output:

2024-01-03T10:56:32.454+0700	INFO	Loaded trivy.yaml
2024-01-03T10:56:32.462+0700	INFO	Misconfiguration scanning is enabled
2024-01-03T10:56:35.821+0700	INFO	Detected config files: 26

 (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

MEDIUM: Cluster does not have Deletion Protection enabled
═══════════════════════════════════════════════════════════════════════════════════════════════════════════
Ensure deletion protection is enabled for RDS clusters.

See https://avd.aquasec.com/misconfig/n/a
───────────────────────────────────────────────────────────────────────────────────────────────────────────


exit 1

CI output:

Running Trivy with trivy.yaml config from:  trivy.yaml
2024-01-03T03:57:34.451Z	INFO	Loaded trivy.yaml
2024-01-03T03:57:34.460Z	WARN	"--list-all-pkgs" cannot be used with "--format table". Try "--format json" or other formats.
2024-01-03T03:57:34.460Z	INFO	"--dependency-tree" only shows the dependents of vulnerable packages. Note that it is the reverse of the usual dependency tree, which shows the packages that depend on the vulnerable package. It supports limited package managers. Please see the document for the detail.
[20](https://github.com/Nihisil/test-infra/actions/runs/7393288283/job/20112986384#step:6:21)24-01-03T03:57:34.465Z	INFO	Need to update DB
2024-01-03T03:57:34.465Z	INFO	DB Repository: ghcr.io/aquasecurity/trivy-db
2024-01-03T03:57:34.465Z	INFO	Downloading DB...
26.84 MiB / 42.08 MiB [-------------------------------------->______________________] 63.78% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [----------------------------------------------------------->] 100.00% ? p/s ?42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 25.38 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 25.38 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 25.38 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 23.74 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 23.74 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [---------------------------------------------->] 100.00% 23.74 MiB p/s ETA 0s42.08 MiB / 42.08 MiB [-------------------------------------------------] 100.00% 25.48 MiB p/s 1.9s2024-01-03T03:57:36.788Z	INFO	Vulnerability scanning is enabled
2024-01-03T03:57:36.788Z	INFO	Secret scanning is enabled
20[24](https://github.com/Nihisil/test-infra/actions/runs/7393288283/job/20112986384#step:6:25)-01-03T03:57:36.788Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-01-03T03:57:36.788Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.45/docs/scanner/secret/#recommendation for faster secret detection
2024-01-03T03:57:36.800Z	INFO	Number of language-specific files: 0

Not sure how did you try on your local, everything works fine on my end
image

To make sure we are on the same page, have you generated a local template and removed the trivy:ignore then?

The CI won't run since I couldn't find the way to unbundle the template by script, hence no tf files to run through, I believe we can do that on a separated story.

@Nihisil
Copy link
Contributor

Nihisil commented Jan 3, 2024
edited
Loading

To make sure we are on the same page, have you generated a local template and removed the trivy:ignore then?

Yep, this is what I did.

Can you please check it on this branch: https://github.com/Nihisil/test-infra/tree/test-trivy

It shows an error that I provided above, and I'm not sure where the issue is.

@Nihisil
Copy link
Contributor

Nihisil commented Jan 3, 2024

The CI won't run since I couldn't find the way to unbundle the template by script, hence no tf files to run through, I believe we can do that on a separated story.

We need to ensure it runs on CI, or we should remove it from the linting step of GH workflow job and create a ticket to add it later. Otherwise, there might be confusion where developers might think that Trivy validation is already working in CI

@nvminhtue
Copy link
Contributor Author

The CI won't run since I couldn't find the way to unbundle the template by script, hence no tf files to run through, I believe we can do that on a separated story.

We need to ensure it runs on CI, or we should remove it from the linting step of GH workflow job and create a ticket to add it later. Otherwise, there might be confusion where developers might think that Trivy validation is already working in CI

I created the story here, will work on that first and apply the change to this one, which can ensure that trivy is successfully integrated.

@Nihisil
Copy link
Contributor

Nihisil commented Jan 4, 2024

I'm sorry that I wasn't clear earlier. Trivy isn't working with the generated project, neither on localhost nor on CI for me. This is most important part.

As for the ticket that you created, we have it already: #181

@nvminhtue
Copy link
Contributor Author

nvminhtue commented Jan 4, 2024
edited
Loading

I'm sorry that I wasn't clear earlier. Trivy isn't working with the generated project, neither on localhost nor on CI for me. This is most important part.

As for the ticket that you created, we have it already: #181

Thanks for pointing me to that story 👍
About your concern, I tried to pull your repo and it works on my end, seems there are some missing packages that I might not added to the CI.
image
Checking on that shortly

@Nihisil
Copy link
Contributor

Nihisil commented Jan 4, 2024

maybe for local trivy installation we need to do some setup? I just did asdf install and after that tried to use it through trivy config .

@nvminhtue
Copy link
Contributor Author

maybe for local trivy installation we need to do some setup? I just did asdf install and after that tried to use it through trivy config .

Yes, that's pretty much enough, it should work after then 🤔

@nvminhtue nvminhtue marked this pull request as ready for review January 15, 2024 11:07
@nvminhtue nvminhtue requested a review from a team as a code owner January 15, 2024 11:07
@nvminhtue nvminhtue requested a review from Nihisil January 25, 2024 15:08
@Nihisil Nihisil modified the milestones: 2.3.0, 2.4.0 Feb 2, 2024
@Nihisil
Copy link
Contributor

Nihisil commented Feb 5, 2024

@nvminhtue please rebase this PR with develop branch to solve merge conflicts 🙏

nvminhtue added 14 commits March 1, 2024 13:49
@nvminhtue nvminhtue force-pushed the feature/gh-227-migrate-from-tfsec-to-trivy branch from 77c6dc5 to 01f80b7 Compare March 1, 2024 06:51
@nvminhtue nvminhtue requested a review from sanG-github as a code owner March 1, 2024 06:51
malparty
malparty approved these changes Mar 5, 2024
View reviewed changes
Copy link
Member

@malparty malparty left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved ahead with minor suggestions ✅

.github/wiki/Trivy-local-running.md Outdated
2. Access to more integrations with tools and services through the rich ecosystem around Trivy.

## Trivy Local Scan
```bash
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
```bash
```bash

Minor markdown lint suggestion

.github/wiki/_Sidebar.md Outdated
@@ -15,3 +15,4 @@
- [[Testing]]
- [[Modify the Infrastructure Diagram | Modify infra diagram]]
- [[Publishing]]
- [[Trivy Local Running]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- [[Trivy Local Running]]
- [[Trivy Local Run]]

or Running Trivy Locally? :)

.github/workflows/test-generated-project.yml Outdated
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
- name: Install dependencies in .tool-versions
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Install dependencies in .tool-versions
- name: Install dependencies from .tool-versions

(we don't install the dependencies in the .tool-versions file, but we use the file to install the dependencies).

.github/workflows/test-generated-project.yml Outdated
with:
version: ${{ env.TFSEC_VERSION }}

- name: Run trivy linter
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Run trivy linter
- name: Run trivy scanner

According to the doc, Trivy is more referred to as a scanner, rather than a linter 💭

templates/addons/versionControl/github/.github/workflows/lint.yml Outdated
uses: hashicorp/setup-terraform@v2
with:
terraform_version: ${{ env.TERRAFORM_VERSION }}
- name: Install dependencies in .tool-versions
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Install dependencies in .tool-versions
- name: Install dependencies from .tool-versions

templates/addons/versionControl/github/.github/workflows/lint.yml Outdated
uses: aquasecurity/[email protected]
with:
version: ${{ env.TFSEC_VERSION }}
- name: Run trivy linter
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- name: Run trivy linter
- name: Run trivy scanner

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update them all in a518570

@Nihisil Nihisil merged commit 2dcdafa into develop Mar 7, 2024
3 checks passed
@Nihisil Nihisil deleted the feature/gh-227-migrate-from-tfsec-to-trivy branch March 7, 2024 01:47
@Nihisil Nihisil mentioned this pull request May 10, 2024
Merged
@longnd longnd mentioned this pull request Nov 12, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@malparty malparty malparty approved these changes

@Nihisil Nihisil Nihisil approved these changes

@andyduong1920 andyduong1920 Awaiting requested review from andyduong1920 andyduong1920 is a code owner

@bterone bterone Awaiting requested review from bterone bterone is a code owner

@byhbt byhbt Awaiting requested review from byhbt byhbt is a code owner

@longnd longnd Awaiting requested review from longnd longnd is a code owner

@rosle rosle Awaiting requested review from rosle

@liamstevens111 liamstevens111 Awaiting requested review from liamstevens111 liamstevens111 is a code owner

@hoangmirs hoangmirs Awaiting requested review from hoangmirs hoangmirs is a code owner

@sanG-github sanG-github Awaiting requested review from sanG-github sanG-github is a code owner

Assignees

@nvminhtue nvminhtue

Labels
type : chore
Projects
None yet
Milestone
2.4.0
Development

Successfully merging this pull request may close these issues.

Migrate from tfsec to Trivy
4 participants
@nvminhtue @Nihisil @hoangmirs @malparty