aquasecurity · chen-keinan · May 12, 2024 · May 5, 2024 · May 5, 2024 · May 5, 2024
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -139,7 +139,7 @@ Keeps security report resources updated
 | trivy.image.pullPolicy | string | `"IfNotPresent"` | pullPolicy is the imge pull policy used for trivy image , valid values are (Always, Never, IfNotPresent) |
 | trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image |
 | trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image |
-| trivy.image.tag | string | `"0.50.4"` | tag version of the Trivy image |
+| trivy.image.tag | string | `"0.51.1"` | tag version of the Trivy image |
 | trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
 | trivy.includeDevDeps | bool | `false` | includeDevDeps include development dependencies in the report (supported: npm, yarn) (default: false) note: this flag is only applicable when trivy.command is set to filesystem |
 | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. |

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -326,7 +326,7 @@ trivy:
     # -- repository of the Trivy image
     repository: aquasecurity/trivy
     # -- tag version of the Trivy image
-    tag: 0.50.4
+    tag: 0.51.1
     # -- imagePullSecret is the secret name to be used when pulling trivy image from private registries example : reg-secret
     # It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace
     imagePullSecret: ~

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -3025,7 +3025,7 @@ metadata:
     app.kubernetes.io/managed-by: kubectl
 data:
   trivy.repository: "ghcr.io/aquasecurity/trivy"
-  trivy.tag: "0.50.4"
+  trivy.tag: "0.51.1"
   trivy.imagePullPolicy: "IfNotPresent"
   trivy.additionalVulnerabilityReportFields: ""
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"

diff --git a/docs/docs/crds/clustervulnerability-report.md b/docs/docs/crds/clustervulnerability-report.md
@@ -44,7 +44,7 @@ report:
   scanner:
     name: Trivy
     vendor: Aqua Security
-    version: 0.50.4
+    version: 0.51.1
   summary:
     criticalCount: 0
     highCount: 4

diff --git a/docs/docs/crds/sbom-report.md b/docs/docs/crds/sbom-report.md
@@ -162,7 +162,7 @@ report:
   scanner:
     name: Trivy
     vendor: Aqua Security
-    version: 0.50.4
+    version: 0.51.1
   summary:
     componentsCount: 5
     dependenciesCount: 5

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/pkg/operator/operator.go b/pkg/operator/operator.go
@@ -431,16 +431,18 @@ func buildPolicyLoader(tc trivyoperator.ConfigData) (policy.Loader, error) {
 	if err != nil {
 		return nil, fmt.Errorf("OCI artifact error: %w", err)
 	}
+	ro := types.RegistryOptions{}
 	if registryUser != "" && registryPassword != "" {
-		artifact.RegistryOptions = types.RegistryOptions{
+		ro = types.RegistryOptions{
 			Credentials: []types.Credential{
 				{
 					Username: registryUser,
 					Password: registryPassword,
 				},
 			},
 		}
+		artifact.RegistryOptions = ro
 	}
-	policyLoader := policy.NewPolicyLoader(tc.PolicyBundleOciRef(), gcache.New(1).LRU().Build(), mp.WithOCIArtifact(artifact))
+	policyLoader := policy.NewPolicyLoader(tc.PolicyBundleOciRef(), gcache.New(1).LRU().Build(), ro, mp.WithOCIArtifact(artifact))
 	return policyLoader, nil
 }
diff --git a/pkg/plugins/trivy/config_test.go b/pkg/plugins/trivy/config_test.go
@@ -725,7 +725,7 @@ func TestPlugin_Init(t *testing.T) {
 			},
 			Data: map[string]string{
 				"trivy.repository":                DefaultImageRepository,
-				"trivy.tag":                       "0.50.4",
+				"trivy.tag":                       "0.51.1",
 				"trivy.severity":                  DefaultSeverity,
 				"trivy.slow":                      "true",
 				"trivy.mode":                      string(Standalone),

diff --git a/pkg/plugins/trivy/jobspec_test.go b/pkg/plugins/trivy/jobspec_test.go
diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go
@@ -80,7 +80,7 @@ func (p *plugin) Init(ctx trivyoperator.PluginContext) error {
 	return ctx.EnsureConfig(trivyoperator.PluginConfig{
 		Data: map[string]string{
 			keyTrivyImageRepository:           DefaultImageRepository,
-			keyTrivyImageTag:                  "0.50.4",
+			keyTrivyImageTag:                  "0.51.1",
 			KeyTrivySeverity:                  DefaultSeverity,
 			keyTrivySlow:                      "true",
 			keyTrivyMode:                      string(Standalone),

diff --git a/pkg/plugins/trivy/testdata/fixture/alpine_sbom.json b/pkg/plugins/trivy/testdata/fixture/alpine_sbom.json
@@ -12,7 +12,7 @@
                     "type": "application",
                     "group": "aquasecurity",
                     "name": "trivy",
-                    "version": "0.50.4"
+                    "version": "0.51.1"
                 }
             ]
         },

diff --git a/pkg/policy/loader.go b/pkg/policy/loader.go
@@ -4,17 +4,17 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"time"
-
+	"github.com/aquasecurity/trivy/pkg/fanal/types"
 	mp "github.com/aquasecurity/trivy/pkg/policy"
 	"github.com/bluele/gcache"
 	"github.com/go-logr/logr"
 	"golang.org/x/xerrors"
+	"os"
+	"path/filepath"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"strings"
+	"sync"
+	"time"
 )
 
 const (
@@ -26,22 +26,24 @@ type Loader interface {
 }
 
 type policyLoader struct {
-	PolicyRepo string
-	mutex      sync.RWMutex
-	cache      gcache.Cache
-	expiration *time.Duration
-	options    []mp.Option
-	logger     logr.Logger
+	PolicyRepo      string
+	mutex           sync.RWMutex
+	cache           gcache.Cache
+	expiration      *time.Duration
+	options         []mp.Option
+	logger          logr.Logger
+	RegistryOptions types.RegistryOptions
 }
 
-func NewPolicyLoader(pr string, cache gcache.Cache, opts ...mp.Option) Loader {
+func NewPolicyLoader(pr string, cache gcache.Cache, registryOptions types.RegistryOptions, opts ...mp.Option) Loader {
 	expiration := 24 * time.Hour
 	return &policyLoader{
-		PolicyRepo: pr,
-		cache:      cache,
-		options:    opts,
-		expiration: &expiration,
-		logger:     ctrl.Log.WithName("policyLoader"),
+		PolicyRepo:      pr,
+		cache:           cache,
+		options:         opts,
+		expiration:      &expiration,
+		logger:          ctrl.Log.WithName("policyLoader"),
+		RegistryOptions: registryOptions,
 	}
 }
 
@@ -96,7 +98,7 @@ func (pl *policyLoader) getBuiltInPolicies(ctx context.Context) ([]string, error
 		return nil, xerrors.Errorf("policy client error: %w", err)
 	}
 
-	if err = client.DownloadBuiltinPolicies(ctx); err != nil {
+	if err = client.DownloadBuiltinPolicies(ctx, pl.RegistryOptions); err != nil {
 		return nil, xerrors.Errorf("failed to download built-in policies: %w", err)
 	}
 	return client.LoadBuiltinPolicies()

diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/aquasecurity/trivy-operator/pkg/plugins/trivy"
 	"github.com/aquasecurity/trivy-operator/pkg/policy"
 	"github.com/aquasecurity/trivy-operator/pkg/utils"
+	"github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/iac/scan"
 	"github.com/bluele/gcache"
 	. "github.com/onsi/gomega"
@@ -35,7 +36,7 @@ func TestPolicies_PoliciesByKind(t *testing.T) {
 			"library.kubernetes.rego":        "<REGO_A>",
 			"library.utils.rego":             "<REGO_B>",
 			"policy.access_to_host_pid.rego": "<REGO_C>",
-		}, testConfig{}, ctrl.Log.WithName("policy logger"), policy.NewPolicyLoader("", gcache.New(1).LRU().Build()), "1.27.1")
+		}, testConfig{}, ctrl.Log.WithName("policy logger"), policy.NewPolicyLoader("", gcache.New(1).LRU().Build(), types.RegistryOptions{}), "1.27.1")
 		_, err := config.PoliciesByKind("Pod")
 		g.Expect(err).To(MatchError("kinds not defined for policy: policy.access_to_host_pid.rego"))
 	})
@@ -44,7 +45,7 @@ func TestPolicies_PoliciesByKind(t *testing.T) {
 		g := NewGomegaWithT(t)
 		config := policy.NewPolicies(map[string]string{
 			"policy.access_to_host_pid.kinds": "Workload",
-		}, testConfig{}, ctrl.Log.WithName("policy logger"), policy.NewPolicyLoader("", gcache.New(1).LRU().Build()), "1.27.1")
+		}, testConfig{}, ctrl.Log.WithName("policy logger"), policy.NewPolicyLoader("", gcache.New(1).LRU().Build(), types.RegistryOptions{}), "1.27.1")
 		_, err := config.PoliciesByKind("Pod")
 		g.Expect(err).To(MatchError("expected policy not found: policy.access_to_host_pid.rego"))
 	})
@@ -71,7 +72,7 @@ func TestPolicies_PoliciesByKind(t *testing.T) {
 			"policy.privileged": "<REGO_E>",
 			// This one should be skipped (no policy. prefix)
 			"foo": "bar",
-		}, testConfig{}, ctrl.Log.WithName("policy logger"), policy.NewPolicyLoader("", gcache.New(1).LRU().Build()), "1.27.1")
+		}, testConfig{}, ctrl.Log.WithName("policy logger"), policy.NewPolicyLoader("", gcache.New(1).LRU().Build(), types.RegistryOptions{}), "1.27.1")
 		g.Expect(config.PoliciesByKind("Pod")).To(Equal(map[string]string{
 			"policy.access_to_host_pid.rego":                "<REGO_C>",
 			"policy.cpu_not_limited.rego":                   "<REGO_D>",
@@ -145,7 +146,7 @@ func TestPolicies_Supported(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			g := NewGomegaWithT(t)
 			log := ctrl.Log.WithName("resourcecontroller")
-			ready, err := policy.NewPolicies(tc.data, testConfig{}, log, policy.NewPolicyLoader("", gcache.New(1).LRU().Build()), "1.27.1").SupportedKind(tc.resource, tc.rbacEnable)
+			ready, err := policy.NewPolicies(tc.data, testConfig{}, log, policy.NewPolicyLoader("", gcache.New(1).LRU().Build(), types.RegistryOptions{}), "1.27.1").SupportedKind(tc.resource, tc.rbacEnable)
 			g.Expect(err).ToNot(HaveOccurred())
 			g.Expect(ready).To(Equal(tc.expected))
 		})

diff --git a/pkg/vulnerabilityreport/controller/testdata/sbom.json b/pkg/vulnerabilityreport/controller/testdata/sbom.json
@@ -246,7 +246,7 @@
         "scanner": {
             "name": "Trivy",
             "vendor": "Aqua Security",
-            "version": "0.50.4"
+            "version": "0.51.1"
         },
         "summary": {
             "componentsCount": 5,

diff --git a/tests/e2e/sbom-client-server/workload/00-sbom-pod.yaml b/tests/e2e/sbom-client-server/workload/00-sbom-pod.yaml
@@ -3526,7 +3526,7 @@ report:
   scanner:
     name: Trivy
     vendor: Aqua Security
-    version: 0.50.4
+    version: 0.51.1
   summary:
     componentsCount: 110
     dependenciesCount: 110

diff --git a/tests/e2e/sbom-fs/workload/00-sbom-pod.yaml b/tests/e2e/sbom-fs/workload/00-sbom-pod.yaml
@@ -3526,7 +3526,7 @@ report:
   scanner:
     name: Trivy
     vendor: Aqua Security
-    version: 0.50.4
+    version: 0.51.1
   summary:
     componentsCount: 110
     dependenciesCount: 110

diff --git a/tests/e2e/sbom-standalone/workload/00-sbom-pod.yaml b/tests/e2e/sbom-standalone/workload/00-sbom-pod.yaml
@@ -3526,7 +3526,7 @@ report:
   scanner:
     name: Trivy
     vendor: Aqua Security
-    version: 0.50.4
+    version: 0.51.1
   summary:
     componentsCount: 110
     dependenciesCount: 110