aquasecurity · knqyf263 · Jan 6, 2022 · Jan 3, 2022 · Jan 4, 2022 · Jan 4, 2022
@@ -1,24 +1,24 @@
 # Air-Gapped Environment
 
-Trivy can be used in air-gapped environments.
-
+Trivy can be used in air-gapped environments. Note that an allowlist is [here][allowlist].
 
 ## Air-Gapped Environment for vulnerabilities
 
 ### Download the vulnerability database
 At first, you need to download the vulnerability database for use in air-gapped environments.
-Go to [trivy-db][trivy-db] and download `trivy-offline.db.tgz` in the latest release.
-If you download `trivy-light-offline.db.tgz`, you have to run Trivy with `--light` option.
+Please follow [oras installation instruction][oras].
+
+Download `db.tar.gz`:
 
 ```
-$ wget https://github.com/aquasecurity/trivy-db/releases/latest/download/trivy-offline.db.tgz
+$ oras pull ghcr.io/aquasecurity/trivy-db:2 -a
 ```
 
 ### Transfer the DB file into the air-gapped environment
 The way of transfer depends on the environment.
 
 ```
-$ rsync -av -e ssh /path/to/trivy-offline.db.tgz [user]@[host]:dst
+$ rsync -av -e ssh /path/to/db.tar.gz [user]@[host]:dst
 ```
 
 ### Put the DB file in Trivy's cache directory
@@ -35,17 +35,10 @@ Put the DB file in the cache directory + `/db`.
 ```
 $ mkdir -p /home/myuser/.cache/trivy/db
 $ cd /home/myuser/.cache/trivy/db
-$ mv /path/to/trivy-offline.db.tgz .
-```
-
-Then, decompress it.
-`trivy-offline.db.tgz` file includes two files, `trivy.db` and `metadata.json`.
-
-```
-$ tar xvf trivy-offline.db.tgz
+$ tar xvf /path/to/db.tar.gz -C /home/myuser/.cache/trivy/db
 x trivy.db
 x metadata.json
-$ rm trivy-offline.db.tgz
+$ rm /path/to/db.tar.gz
 ```
 
 In an air-gapped environment it is your responsibility to update the Trivy database on a regular basis, so that the scanner can detect recently-identified vulnerabilities. 
@@ -62,7 +55,8 @@ $ trivy image --skip-update --offline-scan alpine:3.12
 
 ### Download misconfiguration policies
 At first, you need to download misconfiguration policies for use in air-gapped environments.
-Please follow [oras installation instruction][oras]. \
+Please follow [oras installation instruction][oras].
+
 Download `bundle.tar.gz`:
 
 ```
@@ -115,5 +109,5 @@ In an air-gapped environment, specify `--skip-policy-update` so that Trivy doesn
 $ trivy conf --skip-policy-update /path/to/conf
 ```
 
-[trivy-db]: https://github.com/aquasecurity/trivy-db/releases
+[allowlist]: ../getting-started/troubleshooting.md
 [oras]: https://oras.land/cli/
@@ -1,4 +1,2 @@
 # Integrations
 Scan your image automatically as part of your CI workflow, failing the workflow if a vulnerability is found. When you don't want to fail the test, specify `--exit-code 0`.
-
-Since in automated scenarios such as CI/CD you are only interested in the end result, and not the full report, use the `--light` flag to optimize for this scenario and get fast results.
@@ -24,7 +24,6 @@ OPTIONS:
    --vuln-type value           comma-separated list of vulnerability types (os,library) (default: "os,library") [$TRIVY_VULN_TYPE]
    --ignorefile value          specify .trivyignore file (default: ".trivyignore") [$TRIVY_IGNOREFILE]
    --timeout value             timeout (default: 5m0s) [$TRIVY_TIMEOUT]
-   --light                     light mode: it's faster, but vulnerability descriptions and references are not displayed (default: false) [$TRIVY_LIGHT]
    --ignore-policy value       specify the Rego file to evaluate each vulnerability [$TRIVY_IGNORE_POLICY]
    --list-all-pkgs             enabling the option will output all packages regardless of vulnerability (default: false) [$TRIVY_LIST_ALL_PKGS]
    --offline-scan              do not issue API requests to identify dependencies (default: false) [$TRIVY_OFFLINE_SCAN]

@@ -69,11 +69,17 @@ Reference : [boltdb: Opening a database][boltdb].
 !!! error
     FATAL failed to download vulnerability DB
 
-If trivy is running behind corporate firewall try to whitelist urls below:
+If trivy is running behind corporate firewall, you have to add the following urls to your allowlist.
 
-- api.github.com
-- github.com
-- github-releases.githubusercontent.com
+- ghcr.io
+- pkg-containers.githubusercontent.com
+
+### Old DB schema
+
+!!! error
+    --skip-update cannot be specified with the old DB schema.
+
+Trivy v0.23.0 or later requires Trivy DB v2. Please update your local database or follow [the instruction of air-gapped environment][air-gapped].
 
 ## Homebrew
 ### Scope error
@@ -123,3 +129,5 @@ Try again with `--reset` option:
 ```
 $ trivy image --reset
 ```
+
+[air-gapped]: ../advanced/air-gap.md
@@ -36,39 +36,3 @@ This is useful to initialize workers in Continuous Integration systems.
 ```
 $ trivy image --download-db-only
 ```
-
-## Lightweight DB
-The lightweight DB doesn't contain vulnerability detail such as descriptions and references. Because of that, the size of the DB is smaller and the download is faster.
-
-This option is useful when you don't need vulnerability details and is suitable for CI/CD.
-To find the additional information, you can search vulnerability details on the NVD website.
-https://nvd.nist.gov/vuln/search
-
-```
-$ trivy image --light alpine:3.10
-```
-
-`--light` option doesn't display titles like the following example.
-
-<details>
-<summary>Result</summary>
-
-```
-2019-11-14T10:21:01.553+0200    INFO    Reopening vulnerability DB
-2019-11-14T10:21:02.574+0200    INFO    Detecting Alpine vulnerabilities...
-
-alpine:3.10 (alpine 3.10.2)
-===========================
-Total: 3 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 0, CRITICAL: 0)
-
-+---------+------------------+----------+-------------------+---------------+
-| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |
-+---------+------------------+----------+-------------------+---------------+
-| openssl | CVE-2019-1549    | MEDIUM   | 1.1.1c-r0         | 1.1.1d-r0     |
-+         +------------------+          +                   +               +
-|         | CVE-2019-1563    |          |                   |               |
-+         +------------------+----------+                   +               +
-|         | CVE-2019-1547    | LOW      |                   |               |
-+---------+------------------+----------+-------------------+---------------+
-```
-</details>
@@ -13,7 +13,7 @@ require (
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
 	github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492
-	github.com/aquasecurity/trivy-db v0.0.0-20210916043317-726b7b72a47b
+	github.com/aquasecurity/trivy-db v0.0.0-20220104200459-525690bf08ef
 	github.com/caarlos0/env/v6 v6.0.0
 	github.com/cenkalti/backoff v2.2.1+incompatible
 	github.com/cheggaaa/pb/v3 v3.0.3
@@ -24,7 +24,6 @@ require (
 	github.com/goccy/go-yaml v1.8.2 // indirect
 	github.com/golang/protobuf v1.5.2
 	github.com/google/go-containerregistry v0.7.1-0.20211214010025-a65b7844a475
-	github.com/google/go-github/v33 v33.0.0
 	github.com/google/wire v0.4.0
 	github.com/hashicorp/go-getter v1.5.2
 	github.com/hashicorp/go-hclog v0.15.0 // indirect
@@ -43,7 +42,6 @@ require (
 	github.com/twitchtv/twirp v8.1.0+incompatible
 	github.com/urfave/cli/v2 v2.3.0
 	go.uber.org/zap v1.19.1
-	golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8
 	golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
 	google.golang.org/protobuf v1.27.1
 	gopkg.in/go-playground/validator.v9 v9.31.0 // indirect