chore: bump up trivy to v0.57.1

[afdesk]

Description

This PR updates dependencies related on Trivy 0.57.0 and fixes some vulnerabilities inside these ones.

Notes:

• Support NVD CVSS V4.0 Schema was added in Trivy DB: feat(vulnsrc/nvd): add CVSS v4.0 trivy-db#414.

• controller-runtime v0.19.0 contains a breaking change - a check for duplicate controller names (⚠️ Validate controller names are unique kubernetes-sigs/controller-runtime#2902). It's disabled for this PR and should be disabled for tests.
  More details: incorrect check for duplicate controller names kubernetes-sigs/controller-runtime#2937

• Now using build-in Rego policies is disabled by default, useEmbeddedRegoPolicies is enabled. It allows to decrease downloads from ghcr.io (the single source for trivy-checks)

• Trivy-operator uses mirror.gcr.io registry instead of ghcr.io by default for some available OCI artifacts (trivy-db, trivy-java-db).

Before:

trivy rootfs .
2024-10-29T17:43:58+06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-29T17:43:58+06:00	INFO	[secret] Secret scanning is enabled
2024-10-29T17:43:58+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T17:43:58+06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T17:43:58+06:00	INFO	Number of language-specific files	num=1
2024-10-29T17:43:58+06:00	INFO	[gobinary] Detecting vulnerabilities...

to (gobinary)

Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 1, HIGH: 0, CRITICAL: 1)

┌──────────────────────────────────┬─────────────────────┬──────────┬────────┬──────────────────────┬─────────────────────────────────┬───────────────────────────────────────────────────────────┐
│             Library              │    Vulnerability    │ Severity │ Status │  Installed Version   │          Fixed Version          │                           Title                           │
├──────────────────────────────────┼─────────────────────┼──────────┼────────┼──────────────────────┼─────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/docker/docker         │ CVE-2024-41110      │ CRITICAL │ fixed  │ v26.1.3+incompatible │ 23.0.15, 26.1.5, 27.1.1, 25.0.6 │ moby: Authz zero length regression                        │
│                                  │                     │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-41110                │
├──────────────────────────────────┼─────────────────────┼──────────┤        ├──────────────────────┼─────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ github.com/open-policy-agent/opa │ CVE-2024-8260       │ MEDIUM   │        │ v0.65.0              │ 0.68.0                          │ opa: OPA SMB Force-Authentication                         │
│                                  │                     │          │        │                      │                                 │ https://avd.aquasec.com/nvd/cve-2024-8260                 │
├──────────────────────────────────┼─────────────────────┼──────────┤        ├──────────────────────┼─────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ google.golang.org/grpc           │ GHSA-xr7q-jx4m-x55m │ LOW      │        │ v1.64.0              │ 1.64.1                          │ Private tokens could appear in logs if context containing │
│                                  │                     │          │        │                      │                                 │ gRPC metadata is...                                       │
│                                  │                     │          │        │                      │                                 │ https://github.com/advisories/GHSA-xr7q-jx4m-x55m         │
└──────────────────────────────────┴─────────────────────┴──────────┴────────┴──────────────────────┴─────────────────────────────────┴───────────────────────────────────────────────────────────┘

After

 trivy rootfs .                                           
2024-10-29T17:40:31+06:00	INFO	[vuln] Vulnerability scanning is enabled
2024-10-29T17:40:31+06:00	INFO	[secret] Secret scanning is enabled
2024-10-29T17:40:31+06:00	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T17:40:31+06:00	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T17:40:31+06:00	INFO	Number of language-specific files	num=1
2024-10-29T17:40:31+06:00	INFO	[gobinary] Detecting vulnerabilities...

Checklist

• I've read the guidelines for contributing to this repository.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[afdesk]

@simar7 @nikpivkin there were some changes (renaming) in iac/rego methods.
Could you check please that I update them correctly here? thanks!

[iamhalje]

PR mentions an upgrade to v0.57.0, but v0.57.1 is already available

[simar7]

I reviewed the pkg/ changes and they lgtm. @nikpivkin could you also take another look?

[afdesk]

PR mentions an upgrade to v0.57.0, but v0.57.1 is already available

fixed

[nikpivkin]

I think it's worth changing the default value in the future after the release of trivy-checks in DockerHub in case the use of embedded checks is disabled.

[afdesk]

yes, sure.

[nikpivkin]

LGTM!

[hebestreit]

Did you miss to bump the version of the chart or is there any reason?

https://github.com/aquasecurity/trivy-operator/blob/main/deploy/helm/Chart.yaml#L9

I'm happy to provide a PR for the change.

[hebestreit]

I've just seen that other changes have also been merged recently, and I assume it's not being updated because of the upcoming release?

I apologize for my impatience and the inconvenience.

[afdesk]

I've just seen that other changes have also been merged recently, and I assume it's not being updated because of the upcoming release?

I apologize for my impatience and the inconvenience.

It's OK
You're right, we want to cut a new release today/tomorrow, but we need to clarify some details.
sorry for inconvenience