Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for multiple vulnerability database repositories #7

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add support for multiple vulnerability database repositories #7

wants to merge 1 commit into from

Conversation

benji78
Copy link

@benji78 benji78 commented Nov 17, 2024
edited
Loading

At the time of my previous pull request (#3), this scanner adapter only supported trivy v0.54.1. In trivy v0.56.0 support for multiple vulnerability database repositories was added.

Here is how it can be used:

    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

I also added these to the config test and updated the wrapper test.

This also includes the same README fix as #6, updates the default repositories and adds some info to values.yaml.

I am just waiting for trivy to update the default registries to mark this PR as ready.

@benji78 benji78 marked this pull request as draft November 17, 2024 18:25
@benji78 benji78 mentioned this pull request Nov 17, 2024
Open
@benji78 benji78 marked this pull request as ready for review November 18, 2024 09:53
benji78
benji78 commented Nov 18, 2024
View reviewed changes
pkg/etc/config.go
Comment on lines -37 to +38
DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"`
JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"`
DBRepository []string `env:"SCANNER_TRIVY_DB_REPOSITORY"`
JavaDBRepository []string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY"`
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I hardcode the default repositories? I was thinking using trivy's default might be better but if they change in future the README documentations would be wrong

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

two days ago a new trivy version has been released: v0.57.1
The default URLs have changed:
aquasecurity/trivy#7679

Copy link
Author

@benji78 benji78 Nov 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is indeed what I am referring to and the reason why I waited before creating this PR (and had it as a draft) because I needed to update the documentation.

@stgdns stgdns mentioned this pull request Nov 20, 2024
Closed
@reasonerjt
Copy link

I intend to bump up the adapter to v0.32.1 consuming trivy v0.57.1

IMO this change is probably not needed for v0.32.1, thoughts? @benji78

reasonerjt
reasonerjt reviewed Dec 5, 2024
View reviewed changes
pkg/etc/config.go
@@ -34,8 +34,8 @@ type Trivy struct {
IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"`
SkipDBUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
SkipJavaDBUpdate bool `env:"SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" envDefault:"false"`
DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"`
JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"`
DBRepository []string `env:"SCANNER_TRIVY_DB_REPOSITORY"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can remain as a string and we just document the value should be comma separated URIs?

Copy link
Author

@benji78 benji78 Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could do that, but even though we are not changing or using the URIs separately right now, I believe it is clearer and more future proof to use an array of strings.
We could, for example, strip any spaces around the comma (may not be such a good practice though) or change from comma separated string to using one --db-repository or --java-db-repository per URI.

@benji78
Copy link
Author

benji78 commented Dec 5, 2024

Trivy v0.56.0 (and therefore also harbor-scanner-trivy v0.32.0) already supports multiple repositories, so bumping to trivy v0.57.1 will just update the database registry fallback (and other unrelated changes).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stgdns stgdns stgdns left review comments

@reasonerjt reasonerjt reasonerjt left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@benji78 @reasonerjt @stgdns