feat(trivy): configure --db-repository to get advisory database from …

…OCI registry (#1064)
aquasecurity · Apr 8, 2022 · 7d53816 · 7d53816
1 parent 6abccd0
commit 7d53816
Show file tree

Hide file tree

Showing 9 changed files with 68 additions and 17 deletions.
diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -63,6 +63,7 @@ data:
   trivy.nonSslRegistry.{{ $key }}: {{ $registry | quote }}
   {{- end }}
   trivy.severity: {{ .severity | quote }}
+  trivy.dbRepository: {{ .dbRepository | quote }}
   {{- if .ignoreUnfixed }}
   trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }}
   {{- end }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -100,7 +100,7 @@ trivy:
   createConfig: true
 
   # imageRef the Trivy image reference.
-  imageRef: docker.io/aquasec/trivy:0.24.2
+  imageRef: docker.io/aquasec/trivy:0.25.2
 
   # mode is the Trivy client mode. Either Standalone or ClientServer. Depending
   # on the active mode other settings might be applicable or required.
@@ -176,6 +176,9 @@ trivy:
   # Trivy client to Trivy server. Only applicable in ClientServer mode.
   #
   # serverCustomHeaders: "foo=bar"
+
+  dbRepository: "ghcr.io/aquasecurity/trivy-db"
+
 compliance:
   # failEntriesLimit the flag to limit the number of fail entries per control check in the cluster compliance detail report
   failEntriesLimit: 10

diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml
@@ -48,10 +48,11 @@ metadata:
     app.kubernetes.io/version: "0.15.3"
     app.kubernetes.io/managed-by: kubectl
 data:
-  trivy.imageRef: "docker.io/aquasec/trivy:0.24.2"
+  trivy.imageRef: "docker.io/aquasec/trivy:0.25.2"
   trivy.mode: "Standalone"
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   trivy.timeout: "5m0s"
+  trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
   trivy.resources.requests.cpu: 100m
   trivy.resources.requests.memory: 100M
   trivy.resources.limits.cpu: 500m

diff --git a/deploy/static/starboard.yaml b/deploy/static/starboard.yaml
@@ -822,10 +822,11 @@ metadata:
     app.kubernetes.io/version: "0.15.3"
     app.kubernetes.io/managed-by: kubectl
 data:
-  trivy.imageRef: "docker.io/aquasec/trivy:0.24.2"
+  trivy.imageRef: "docker.io/aquasec/trivy:0.25.2"
   trivy.mode: "Standalone"
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   trivy.timeout: "5m0s"
+  trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
   trivy.resources.requests.cpu: 100m
   trivy.resources.requests.memory: 100M
   trivy.resources.limits.cpu: 500m

diff --git a/docs/vulnerability-scanning/trivy.md b/docs/vulnerability-scanning/trivy.md
@@ -82,7 +82,8 @@ EOF
 
 | CONFIGMAP KEY                      | DEFAULT                            | DESCRIPTION                                                                                                                                                         |
 |------------------------------------|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `trivy.imageRef`                   | `docker.io/aquasec/trivy:0.24.2`   | Trivy image reference                                                                                                                                               |
+| `trivy.imageRef`                   | `docker.io/aquasec/trivy:0.25.2`   | Trivy image reference                                                                                                                                               |
+| `trivy.dbRepository`               | `ghcr.io/aquasecurity/trivy-db`    | External OCI Registry to download the vulnerability database                                                                                                                                               |
 | `trivy.mode`                       | `Standalone`                       | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required.                              |
 | `trivy.severity`                   | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy                                                                                                         |
 | `trivy.ignoreUnfixed`              | N/A                                | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it.                                                      |

diff --git a/itest/matcher/matcher.go b/itest/matcher/matcher.go
@@ -21,7 +21,7 @@ var (
 	trivyScanner = v1alpha1.Scanner{
 		Name:    "Trivy",
 		Vendor:  "Aqua Security",
-		Version: "0.24.2",
+		Version: "0.25.2",
 	}
 	builtInScanner = v1alpha1.Scanner{
 		Name:    "Starboard",

diff --git a/itest/matcher/matcher_test.go b/itest/matcher/matcher_test.go
@@ -57,7 +57,7 @@ func TestVulnerabilityReportMatcher(t *testing.T) {
 				Scanner: v1alpha1.Scanner{
 					Name:    "Trivy",
 					Vendor:  "Aqua Security",
-					Version: "0.24.2",
+					Version: "0.25.2",
 				},
 				Vulnerabilities: []v1alpha1.Vulnerability{},
 			},

diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go
@@ -43,6 +43,7 @@ const (
 	keyTrivyGitHubToken            = "trivy.githubToken"
 	keyTrivySkipFiles              = "trivy.skipFiles"
 	keyTrivySkipDirs               = "trivy.skipDirs"
+	keyTrivyDBRepository           = "trivy.dbRepository"
 
 	keyTrivyServerURL           = "trivy.serverURL"
 	keyTrivyServerTokenHeader   = "trivy.serverTokenHeader"
@@ -56,6 +57,8 @@ const (
 	keyResourcesLimitsMemory   = "trivy.resources.limits.memory"
 )
 
+const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db"
+
 // Mode in which Trivy client operates.
 type Mode string
 
@@ -211,6 +214,10 @@ func (c Config) setResourceLimit(configKey string, k8sResourceList *corev1.Resou
 	return nil
 }
 
+func (c Config) GetDBRepository() (string, error) {
+	return c.GetRequiredData(keyTrivyDBRepository)
+}
+
 type plugin struct {
 	clock          ext.Clock
 	idGenerator    ext.IDGenerator
@@ -240,10 +247,11 @@ func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, client client.Clien
 func (p *plugin) Init(ctx starboard.PluginContext) error {
 	return ctx.EnsureConfig(starboard.PluginConfig{
 		Data: map[string]string{
-			keyTrivyImageRef: "docker.io/aquasec/trivy:0.24.2",
+			keyTrivyImageRef: "docker.io/aquasec/trivy:0.25.2",
 			keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 			keyTrivyMode:     string(Standalone),
 			keyTrivyTimeout:  "5m0s",
+			keyTrivyDBRepository: defaultDBRepository,
 
 			keyResourcesRequestsCPU:    "100m",
 			keyResourcesRequestsMemory: "100M",
@@ -342,6 +350,11 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 
 	trivyConfigName := starboard.GetPluginConfigMapName(Plugin)
 
+	dbRepository, err := config.GetDBRepository()
+	if err != nil {
+		return corev1.PodSpec{}, nil, err
+	}
+
 	requirements, err := config.GetResourceRequirements()
 	if err != nil {
 		return corev1.PodSpec{}, nil, err
@@ -410,6 +423,8 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config
 			"/tmp/trivy/.cache",
 			"image",
 			"--download-db-only",
+			"--db-repository",
+			dbRepository,
 		},
 		Resources: requirements,
 		VolumeMounts: []corev1.VolumeMount{
@@ -993,6 +1008,11 @@ func (p *plugin) getPodSpecForStandaloneFSMode(ctx starboard.PluginContext, conf
 
 	trivyConfigName := starboard.GetPluginConfigMapName(Plugin)
 
+	dbRepository, err := config.GetDBRepository()
+	if err != nil {
+		return corev1.PodSpec{}, nil, err
+	}
+
 	requirements, err := config.GetResourceRequirements()
 	if err != nil {
 		return corev1.PodSpec{}, nil, err
@@ -1050,6 +1070,8 @@ func (p *plugin) getPodSpecForStandaloneFSMode(ctx starboard.PluginContext, conf
 			"--download-db-only",
 			"--cache-dir",
 			"/var/starboard/trivy-db",
+			"--db-repository",
+			dbRepository,
 		},
 		Resources:    requirements,
 		VolumeMounts: volumeMounts,

diff --git a/pkg/plugin/trivy/plugin_test.go b/pkg/plugin/trivy/plugin_test.go
@@ -29,6 +29,8 @@ var (
 	fixedClock = ext.NewFixedClock(fixedTime)
 )
 
+const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db"
+
 func TestConfig_GetImageRef(t *testing.T) {
 	testCases := []struct {
 		name             string
@@ -196,6 +198,7 @@ func TestConfig_GetResourceRequirements(t *testing.T) {
 			config: trivy.Config{
 				PluginConfig: starboard.PluginConfig{
 					Data: map[string]string{
+						"trivy.dbRepository":              defaultDBRepository,
 						"trivy.resources.requests.cpu":    "800m",
 						"trivy.resources.requests.memory": "200M",
 						"trivy.resources.limits.cpu":      "600m",
@@ -470,10 +473,11 @@ func TestPlugin_Init(t *testing.T) {
 				ResourceVersion: "1",
 			},
 			Data: map[string]string{
-				"trivy.imageRef": "docker.io/aquasec/trivy:0.24.2",
-				"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
-				"trivy.mode":     "Standalone",
-				"trivy.timeout":  "5m0s",
+				"trivy.imageRef":     "docker.io/aquasec/trivy:0.25.2",
+				"trivy.severity":     "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
+				"trivy.mode":         "Standalone",
+				"trivy.timeout":      "5m0s",
+				"trivy.dbRepository": defaultDBRepository,
 
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
@@ -496,7 +500,7 @@ func TestPlugin_Init(t *testing.T) {
 					ResourceVersion: "1",
 				},
 				Data: map[string]string{
-					"trivy.imageRef": "docker.io/aquasec/trivy:0.24.2",
+					"trivy.imageRef": "docker.io/aquasec/trivy:0.25.2",
 					"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 					"trivy.mode":     "Standalone",
 				},
@@ -530,7 +534,7 @@ func TestPlugin_Init(t *testing.T) {
 				ResourceVersion: "1",
 			},
 			Data: map[string]string{
-				"trivy.imageRef": "docker.io/aquasec/trivy:0.24.2",
+				"trivy.imageRef": "docker.io/aquasec/trivy:0.25.2",
 				"trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
 				"trivy.mode":     "Standalone",
 			},
@@ -582,7 +586,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 			config: map[string]string{
 				"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
 				"trivy.mode":     string(trivy.Standalone),
-
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -682,6 +686,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"--cache-dir", "/tmp/trivy/.cache",
 							"image",
 							"--download-db-only",
+							"--db-repository", defaultDBRepository,
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -834,6 +839,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 				"trivy.imageRef":                     "docker.io/aquasec/trivy:0.14.0",
 				"trivy.mode":                         string(trivy.Standalone),
 				"trivy.insecureRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
+				"trivy.dbRepository":                 defaultDBRepository,
 
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
@@ -928,6 +934,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"--cache-dir", "/tmp/trivy/.cache",
 							"image",
 							"--download-db-only",
+							"--db-repository", defaultDBRepository,
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1084,6 +1091,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 				"trivy.imageRef":                   "docker.io/aquasec/trivy:0.14.0",
 				"trivy.mode":                       string(trivy.Standalone),
 				"trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
+				"trivy.dbRepository":               defaultDBRepository,
 				"trivy.resources.requests.cpu":     "100m",
 				"trivy.resources.requests.memory":  "100M",
 				"trivy.resources.limits.cpu":       "500m",
@@ -1178,6 +1186,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) {
 							"--cache-dir", "/tmp/trivy/.cache",
 							"image",
 							"--download-db-only",
+							"--db-repository", defaultDBRepository,
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1338,6 +1347,7 @@ CVE-2018-14618
 
 # No impact in our settings
 CVE-2019-1543`,
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -1448,6 +1458,7 @@ CVE-2019-1543`,
 							"--cache-dir", "/tmp/trivy/.cache",
 							"image",
 							"--download-db-only",
+							"--db-repository", defaultDBRepository,
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1609,6 +1620,7 @@ CVE-2019-1543`,
 				"trivy.imageRef": "docker.io/aquasec/trivy:0.14.0",
 				"trivy.mode":     string(trivy.Standalone),
 
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -1706,6 +1718,7 @@ CVE-2019-1543`,
 							"--cache-dir", "/tmp/trivy/.cache",
 							"image",
 							"--download-db-only",
+							"--db-repository", defaultDBRepository,
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -1858,6 +1871,7 @@ CVE-2019-1543`,
 				"trivy.imageRef":                  "docker.io/aquasec/trivy:0.14.0",
 				"trivy.mode":                      string(trivy.ClientServer),
 				"trivy.serverURL":                 "http://trivy.trivy:4954",
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -2047,6 +2061,7 @@ CVE-2019-1543`,
 				"trivy.imageRef":                  "docker.io/aquasec/trivy:0.14.0",
 				"trivy.mode":                      string(trivy.ClientServer),
 				"trivy.serverURL":                 "http://trivy.trivy:4954",
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -2237,6 +2252,7 @@ CVE-2019-1543`,
 				"trivy.mode":                      string(trivy.ClientServer),
 				"trivy.serverURL":                 "https://trivy.trivy:4954",
 				"trivy.serverInsecure":            "true",
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -2431,6 +2447,7 @@ CVE-2019-1543`,
 				"trivy.mode":                       string(trivy.ClientServer),
 				"trivy.serverURL":                  "http://trivy.trivy:4954",
 				"trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl",
+				"trivy.dbRepository":               defaultDBRepository,
 				"trivy.resources.requests.cpu":     "100m",
 				"trivy.resources.requests.memory":  "100M",
 				"trivy.resources.limits.cpu":       "500m",
@@ -2629,6 +2646,7 @@ CVE-2018-14618
 
 # No impact in our settings
 CVE-2019-1543`,
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -2844,9 +2862,10 @@ CVE-2019-1543`,
 		{
 			name: "Trivy fs scan command in Standalone mode",
 			config: map[string]string{
-				"trivy.imageRef":                  "docker.io/aquasec/trivy:0.24.2",
+				"trivy.imageRef":                  "docker.io/aquasec/trivy:0.25.2",
 				"trivy.mode":                      string(trivy.Standalone),
 				"trivy.command":                   string(trivy.Filesystem),
+				"trivy.dbRepository":              defaultDBRepository,
 				"trivy.resources.requests.cpu":    "100m",
 				"trivy.resources.requests.memory": "100M",
 				"trivy.resources.limits.cpu":      "500m",
@@ -2888,7 +2907,7 @@ CVE-2019-1543`,
 				InitContainers: []corev1.Container{
 					{
 						Name:                     "00000000-0000-0000-0000-000000000001",
-						Image:                    "docker.io/aquasec/trivy:0.24.2",
+						Image:                    "docker.io/aquasec/trivy:0.25.2",
 						ImagePullPolicy:          corev1.PullIfNotPresent,
 						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 						Command: []string{
@@ -2917,7 +2936,7 @@ CVE-2019-1543`,
 					},
 					{
 						Name:                     "00000000-0000-0000-0000-000000000002",
-						Image:                    "docker.io/aquasec/trivy:0.24.2",
+						Image:                    "docker.io/aquasec/trivy:0.25.2",
 						ImagePullPolicy:          corev1.PullIfNotPresent,
 						TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
 						Env: []corev1.EnvVar{
@@ -2978,6 +2997,7 @@ CVE-2019-1543`,
 							"--download-db-only",
 							"--cache-dir",
 							"/var/starboard/trivy-db",
+							"--db-repository", defaultDBRepository,
 						},
 						Resources: corev1.ResourceRequirements{
 							Requests: corev1.ResourceList{
@@ -3162,6 +3182,7 @@ CVE-2019-1543`,
 			"trivy.imageRef":                  "docker.io/aquasec/trivy:0.22.0",
 			"trivy.mode":                      string(trivy.Standalone),
 			"trivy.command":                   string(trivy.Filesystem),
+			"trivy.dbRepository":              defaultDBRepository,
 			"trivy.resources.requests.cpu":    "100m",
 			"trivy.resources.requests.memory": "100M",
 			"trivy.resources.limits.cpu":      "500m",
@@ -3294,6 +3315,7 @@ CVE-2019-1543`,
 						"--download-db-only",
 						"--cache-dir",
 						"/var/starboard/trivy-db",
+						"--db-repository", defaultDBRepository,
 					},
 					Resources: corev1.ResourceRequirements{
 						Requests: corev1.ResourceList{