From f2a616015c4d7203a209963ed5a003852f05036f Mon Sep 17 00:00:00 2001 From: Sashi Kumar Date: Wed, 23 Mar 2022 21:01:21 +0530 Subject: [PATCH 1/6] feat(trivy): Add dbRepository flag to get advisory database from OCI registry --- deploy/helm/templates/config.yaml | 1 + deploy/helm/values.yaml | 2 ++ pkg/plugin/trivy/plugin.go | 11 +++++++++++ pkg/plugin/trivy/plugin_test.go | 30 +++++++++++++++++++++++++----- 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml index 7bd551128..80cdb59a4 100644 --- a/deploy/helm/templates/config.yaml +++ b/deploy/helm/templates/config.yaml @@ -60,6 +60,7 @@ data: trivy.nonSslRegistry.{{ $key }}: {{ $registry | quote }} {{- end }} trivy.severity: {{ .severity | quote }} + trivy.dbRepository: {{ .dbRepository | quote }} {{- if .ignoreUnfixed }} trivy.ignoreUnfixed: {{ .ignoreUnfixed | quote }} {{- end }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index 0a9cd39c9..f619fbc6c 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -173,6 +173,8 @@ trivy: # # serverCustomHeaders: "foo=bar" + dbRepository: "ghcr.io/aquasecurity/trivy-db" + kubeBench: imageRef: docker.io/aquasec/kube-bench:v0.6.5 diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go index 73c42b00e..86ef365bc 100644 --- a/pkg/plugin/trivy/plugin.go +++ b/pkg/plugin/trivy/plugin.go @@ -43,6 +43,7 @@ const ( keyTrivyGitHubToken = "trivy.githubToken" keyTrivySkipFiles = "trivy.skipFiles" keyTrivySkipDirs = "trivy.skipDirs" + keyTrivyDBRepository = "trivy.dbRepository" keyTrivyServerURL = "trivy.serverURL" keyTrivyServerTokenHeader = "trivy.serverTokenHeader" @@ -211,6 +212,11 @@ func (c Config) setResourceLimit(configKey string, k8sResourceList *corev1.Resou return nil } +func (c Config) GetDBRepository() string { + dbRepository, _ := c.GetRequiredData(keyTrivyDBRepository) + return dbRepository +} + type plugin struct { clock ext.Clock idGenerator ext.IDGenerator @@ -244,6 +250,7 @@ func (p *plugin) Init(ctx starboard.PluginContext) error { keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", keyTrivyMode: string(Standalone), keyTrivyTimeout: "5m0s", + keyTrivyDBRepository: "ghcr.io/aquasecurity/trivy-db", keyResourcesRequestsCPU: "100m", keyResourcesRequestsMemory: "100M", @@ -411,6 +418,8 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config "/tmp/trivy/.cache", "image", "--download-db-only", + "--db-repository", + config.GetDBRepository(), }, Resources: requirements, VolumeMounts: []corev1.VolumeMount{ @@ -1046,6 +1055,8 @@ func (p *plugin) getPodSpecForStandaloneFSMode(ctx starboard.PluginContext, conf "--download-db-only", "--cache-dir", "/var/starboard/trivy-db", + "--db-repository", + config.GetDBRepository(), }, Resources: requirements, VolumeMounts: volumeMounts, diff --git a/pkg/plugin/trivy/plugin_test.go b/pkg/plugin/trivy/plugin_test.go index 5fc9c05fa..e1d5793c7 100644 --- a/pkg/plugin/trivy/plugin_test.go +++ b/pkg/plugin/trivy/plugin_test.go @@ -196,6 +196,7 @@ func TestConfig_GetResourceRequirements(t *testing.T) { config: trivy.Config{ PluginConfig: starboard.PluginConfig{ Data: map[string]string{ + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "800m", "trivy.resources.requests.memory": "200M", "trivy.resources.limits.cpu": "600m", @@ -470,10 +471,11 @@ func TestPlugin_Init(t *testing.T) { ResourceVersion: "1", }, Data: map[string]string{ - "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", - "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", - "trivy.mode": "Standalone", - "trivy.timeout": "5m0s", + "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", + "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", + "trivy.mode": "Standalone", + "trivy.timeout": "5m0s", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", @@ -582,7 +584,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { config: map[string]string{ "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), - + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -682,6 +684,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -834,6 +837,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), "trivy.insecureRegistry.pocRegistry": "poc.myregistry.harbor.com.pl", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", @@ -928,6 +932,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1084,6 +1089,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), "trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -1178,6 +1184,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1338,6 +1345,7 @@ CVE-2018-14618 # No impact in our settings CVE-2019-1543`, + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -1448,6 +1456,7 @@ CVE-2019-1543`, "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1609,6 +1618,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -1706,6 +1716,7 @@ CVE-2019-1543`, "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1858,6 +1869,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "http://trivy.trivy:4954", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2047,6 +2059,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "http://trivy.trivy:4954", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2237,6 +2250,7 @@ CVE-2019-1543`, "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "https://trivy.trivy:4954", "trivy.serverInsecure": "true", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2431,6 +2445,7 @@ CVE-2019-1543`, "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "http://trivy.trivy:4954", "trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl", + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2629,6 +2644,7 @@ CVE-2018-14618 # No impact in our settings CVE-2019-1543`, + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2847,6 +2863,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", "trivy.mode": string(trivy.Standalone), "trivy.command": string(trivy.Filesystem), + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2978,6 +2995,7 @@ CVE-2019-1543`, "--download-db-only", "--cache-dir", "/var/starboard/trivy-db", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3162,6 +3180,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.22.0", "trivy.mode": string(trivy.Standalone), "trivy.command": string(trivy.Filesystem), + "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -3294,6 +3313,7 @@ CVE-2019-1543`, "--download-db-only", "--cache-dir", "/var/starboard/trivy-db", + "--db-repository", "ghcr.io/aquasecurity/trivy-db", }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ From aaf6bb1fd396debaa74eee2d8a0a76c4fc743bed Mon Sep 17 00:00:00 2001 From: Sashi Date: Mon, 28 Mar 2022 22:46:56 +0530 Subject: [PATCH 2/6] Review comment: Use err in GetDBRepository --- pkg/plugin/trivy/plugin.go | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go index 86ef365bc..be56bc752 100644 --- a/pkg/plugin/trivy/plugin.go +++ b/pkg/plugin/trivy/plugin.go @@ -57,6 +57,8 @@ const ( keyResourcesLimitsMemory = "trivy.resources.limits.memory" ) +const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db" + // Mode in which Trivy client operates. type Mode string @@ -212,9 +214,8 @@ func (c Config) setResourceLimit(configKey string, k8sResourceList *corev1.Resou return nil } -func (c Config) GetDBRepository() string { - dbRepository, _ := c.GetRequiredData(keyTrivyDBRepository) - return dbRepository +func (c Config) GetDBRepository() (string, error) { + return c.GetRequiredData(keyTrivyDBRepository) } type plugin struct { @@ -250,7 +251,7 @@ func (p *plugin) Init(ctx starboard.PluginContext) error { keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", keyTrivyMode: string(Standalone), keyTrivyTimeout: "5m0s", - keyTrivyDBRepository: "ghcr.io/aquasecurity/trivy-db", + keyTrivyDBRepository: defaultDBRepository, keyResourcesRequestsCPU: "100m", keyResourcesRequestsMemory: "100M", @@ -350,6 +351,11 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config trivyConfigName := starboard.GetPluginConfigMapName(Plugin) + dbRepository, err := config.GetDBRepository() + if err != nil { + return corev1.PodSpec{}, nil, err + } + requirements, err := config.GetResourceRequirements() if err != nil { return corev1.PodSpec{}, nil, err @@ -419,7 +425,7 @@ func (p *plugin) getPodSpecForStandaloneMode(ctx starboard.PluginContext, config "image", "--download-db-only", "--db-repository", - config.GetDBRepository(), + dbRepository, }, Resources: requirements, VolumeMounts: []corev1.VolumeMount{ @@ -998,6 +1004,11 @@ func (p *plugin) getPodSpecForStandaloneFSMode(ctx starboard.PluginContext, conf trivyConfigName := starboard.GetPluginConfigMapName(Plugin) + dbRepository, err := config.GetDBRepository() + if err != nil { + return corev1.PodSpec{}, nil, err + } + requirements, err := config.GetResourceRequirements() if err != nil { return corev1.PodSpec{}, nil, err @@ -1056,7 +1067,7 @@ func (p *plugin) getPodSpecForStandaloneFSMode(ctx starboard.PluginContext, conf "--cache-dir", "/var/starboard/trivy-db", "--db-repository", - config.GetDBRepository(), + dbRepository, }, Resources: requirements, VolumeMounts: volumeMounts, From 35fd6da7f0cbb856eff3f625a50adf7f435e102e Mon Sep 17 00:00:00 2001 From: Sashi Date: Tue, 5 Apr 2022 11:57:26 +0530 Subject: [PATCH 3/6] Review comment: Use defaultDBRepository const in test --- pkg/plugin/trivy/plugin_test.go | 44 +++++++++++++++++---------------- 1 file changed, 23 insertions(+), 21 deletions(-) diff --git a/pkg/plugin/trivy/plugin_test.go b/pkg/plugin/trivy/plugin_test.go index e1d5793c7..b39e99ea4 100644 --- a/pkg/plugin/trivy/plugin_test.go +++ b/pkg/plugin/trivy/plugin_test.go @@ -29,6 +29,8 @@ var ( fixedClock = ext.NewFixedClock(fixedTime) ) +const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db" + func TestConfig_GetImageRef(t *testing.T) { testCases := []struct { name string @@ -196,7 +198,7 @@ func TestConfig_GetResourceRequirements(t *testing.T) { config: trivy.Config{ PluginConfig: starboard.PluginConfig{ Data: map[string]string{ - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "800m", "trivy.resources.requests.memory": "200M", "trivy.resources.limits.cpu": "600m", @@ -475,7 +477,7 @@ func TestPlugin_Init(t *testing.T) { "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "trivy.mode": "Standalone", "trivy.timeout": "5m0s", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", @@ -584,7 +586,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { config: map[string]string{ "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -684,7 +686,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -837,7 +839,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), "trivy.insecureRegistry.pocRegistry": "poc.myregistry.harbor.com.pl", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", @@ -932,7 +934,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1089,7 +1091,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), "trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -1184,7 +1186,7 @@ func TestPlugin_GetScanJobSpec(t *testing.T) { "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1345,7 +1347,7 @@ CVE-2018-14618 # No impact in our settings CVE-2019-1543`, - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -1456,7 +1458,7 @@ CVE-2019-1543`, "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1618,7 +1620,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.Standalone), - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -1716,7 +1718,7 @@ CVE-2019-1543`, "--cache-dir", "/tmp/trivy/.cache", "image", "--download-db-only", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -1869,7 +1871,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "http://trivy.trivy:4954", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2059,7 +2061,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.14.0", "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "http://trivy.trivy:4954", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2250,7 +2252,7 @@ CVE-2019-1543`, "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "https://trivy.trivy:4954", "trivy.serverInsecure": "true", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2445,7 +2447,7 @@ CVE-2019-1543`, "trivy.mode": string(trivy.ClientServer), "trivy.serverURL": "http://trivy.trivy:4954", "trivy.nonSslRegistry.pocRegistry": "poc.myregistry.harbor.com.pl", - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2644,7 +2646,7 @@ CVE-2018-14618 # No impact in our settings CVE-2019-1543`, - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2863,7 +2865,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", "trivy.mode": string(trivy.Standalone), "trivy.command": string(trivy.Filesystem), - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -2995,7 +2997,7 @@ CVE-2019-1543`, "--download-db-only", "--cache-dir", "/var/starboard/trivy-db", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ @@ -3180,7 +3182,7 @@ CVE-2019-1543`, "trivy.imageRef": "docker.io/aquasec/trivy:0.22.0", "trivy.mode": string(trivy.Standalone), "trivy.command": string(trivy.Filesystem), - "trivy.dbRepository": "ghcr.io/aquasecurity/trivy-db", + "trivy.dbRepository": defaultDBRepository, "trivy.resources.requests.cpu": "100m", "trivy.resources.requests.memory": "100M", "trivy.resources.limits.cpu": "500m", @@ -3313,7 +3315,7 @@ CVE-2019-1543`, "--download-db-only", "--cache-dir", "/var/starboard/trivy-db", - "--db-repository", "ghcr.io/aquasecurity/trivy-db", + "--db-repository", defaultDBRepository, }, Resources: corev1.ResourceRequirements{ Requests: corev1.ResourceList{ From 32885d41901abb022632f867fbf52cc96bc2f852 Mon Sep 17 00:00:00 2001 From: Sashi Date: Tue, 5 Apr 2022 22:57:34 +0530 Subject: [PATCH 4/6] Update trivy version to 0.25.2 --- deploy/helm/values.yaml | 2 +- deploy/static/03-starboard-operator.config.yaml | 2 +- deploy/static/starboard.yaml | 2 +- docs/vulnerability-scanning/trivy.md | 2 +- pkg/plugin/trivy/plugin.go | 2 +- pkg/plugin/trivy/plugin_test.go | 12 ++++++------ 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index f0a4f8631..966a82bcc 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -100,7 +100,7 @@ trivy: createConfig: true # imageRef the Trivy image reference. - imageRef: docker.io/aquasec/trivy:0.24.2 + imageRef: docker.io/aquasec/trivy:0.25.2 # mode is the Trivy client mode. Either Standalone or ClientServer. Depending # on the active mode other settings might be applicable or required. diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml index 86f509fd3..9f352cd3d 100644 --- a/deploy/static/03-starboard-operator.config.yaml +++ b/deploy/static/03-starboard-operator.config.yaml @@ -47,7 +47,7 @@ metadata: app.kubernetes.io/version: "0.15.1" app.kubernetes.io/managed-by: kubectl data: - trivy.imageRef: "docker.io/aquasec/trivy:0.24.2" + trivy.imageRef: "docker.io/aquasec/trivy:0.25.2" trivy.mode: "Standalone" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.timeout: "5m0s" diff --git a/deploy/static/starboard.yaml b/deploy/static/starboard.yaml index df106b303..6402e3bc9 100644 --- a/deploy/static/starboard.yaml +++ b/deploy/static/starboard.yaml @@ -821,7 +821,7 @@ metadata: app.kubernetes.io/version: "0.15.1" app.kubernetes.io/managed-by: kubectl data: - trivy.imageRef: "docker.io/aquasec/trivy:0.24.2" + trivy.imageRef: "docker.io/aquasec/trivy:0.25.2" trivy.mode: "Standalone" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.timeout: "5m0s" diff --git a/docs/vulnerability-scanning/trivy.md b/docs/vulnerability-scanning/trivy.md index f666a0e73..aabfde1d6 100644 --- a/docs/vulnerability-scanning/trivy.md +++ b/docs/vulnerability-scanning/trivy.md @@ -82,7 +82,7 @@ EOF | CONFIGMAP KEY | DEFAULT | DESCRIPTION | |------------------------------------|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `trivy.imageRef` | `docker.io/aquasec/trivy:0.24.2` | Trivy image reference | +| `trivy.imageRef` | `docker.io/aquasec/trivy:0.25.2` | Trivy image reference | | `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. | | `trivy.severity` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy | | `trivy.ignoreUnfixed` | N/A | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. | diff --git a/pkg/plugin/trivy/plugin.go b/pkg/plugin/trivy/plugin.go index a86fdd135..045b0643f 100644 --- a/pkg/plugin/trivy/plugin.go +++ b/pkg/plugin/trivy/plugin.go @@ -247,7 +247,7 @@ func NewPlugin(clock ext.Clock, idGenerator ext.IDGenerator, client client.Clien func (p *plugin) Init(ctx starboard.PluginContext) error { return ctx.EnsureConfig(starboard.PluginConfig{ Data: map[string]string{ - keyTrivyImageRef: "docker.io/aquasec/trivy:0.24.2", + keyTrivyImageRef: "docker.io/aquasec/trivy:0.25.2", keyTrivySeverity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", keyTrivyMode: string(Standalone), keyTrivyTimeout: "5m0s", diff --git a/pkg/plugin/trivy/plugin_test.go b/pkg/plugin/trivy/plugin_test.go index b39e99ea4..6c3c50073 100644 --- a/pkg/plugin/trivy/plugin_test.go +++ b/pkg/plugin/trivy/plugin_test.go @@ -473,7 +473,7 @@ func TestPlugin_Init(t *testing.T) { ResourceVersion: "1", }, Data: map[string]string{ - "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", + "trivy.imageRef": "docker.io/aquasec/trivy:0.25.2", "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "trivy.mode": "Standalone", "trivy.timeout": "5m0s", @@ -500,7 +500,7 @@ func TestPlugin_Init(t *testing.T) { ResourceVersion: "1", }, Data: map[string]string{ - "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", + "trivy.imageRef": "docker.io/aquasec/trivy:0.25.2", "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "trivy.mode": "Standalone", }, @@ -534,7 +534,7 @@ func TestPlugin_Init(t *testing.T) { ResourceVersion: "1", }, Data: map[string]string{ - "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", + "trivy.imageRef": "docker.io/aquasec/trivy:0.25.2", "trivy.severity": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL", "trivy.mode": "Standalone", }, @@ -2862,7 +2862,7 @@ CVE-2019-1543`, { name: "Trivy fs scan command in Standalone mode", config: map[string]string{ - "trivy.imageRef": "docker.io/aquasec/trivy:0.24.2", + "trivy.imageRef": "docker.io/aquasec/trivy:0.25.2", "trivy.mode": string(trivy.Standalone), "trivy.command": string(trivy.Filesystem), "trivy.dbRepository": defaultDBRepository, @@ -2907,7 +2907,7 @@ CVE-2019-1543`, InitContainers: []corev1.Container{ { Name: "00000000-0000-0000-0000-000000000001", - Image: "docker.io/aquasec/trivy:0.24.2", + Image: "docker.io/aquasec/trivy:0.25.2", ImagePullPolicy: corev1.PullIfNotPresent, TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, Command: []string{ @@ -2936,7 +2936,7 @@ CVE-2019-1543`, }, { Name: "00000000-0000-0000-0000-000000000002", - Image: "docker.io/aquasec/trivy:0.24.2", + Image: "docker.io/aquasec/trivy:0.25.2", ImagePullPolicy: corev1.PullIfNotPresent, TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError, Env: []corev1.EnvVar{ From 5ffe0e1dd0541d9133bba241686996252e21d653 Mon Sep 17 00:00:00 2001 From: Sashi Date: Wed, 6 Apr 2022 11:36:59 +0530 Subject: [PATCH 5/6] Update version in test matcher --- itest/matcher/matcher.go | 2 +- itest/matcher/matcher_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/itest/matcher/matcher.go b/itest/matcher/matcher.go index d045f1ac7..c5ac8c656 100644 --- a/itest/matcher/matcher.go +++ b/itest/matcher/matcher.go @@ -21,7 +21,7 @@ var ( trivyScanner = v1alpha1.Scanner{ Name: "Trivy", Vendor: "Aqua Security", - Version: "0.24.2", + Version: "0.25.2", } builtInScanner = v1alpha1.Scanner{ Name: "Starboard", diff --git a/itest/matcher/matcher_test.go b/itest/matcher/matcher_test.go index 0a48cccdd..f16385545 100644 --- a/itest/matcher/matcher_test.go +++ b/itest/matcher/matcher_test.go @@ -57,7 +57,7 @@ func TestVulnerabilityReportMatcher(t *testing.T) { Scanner: v1alpha1.Scanner{ Name: "Trivy", Vendor: "Aqua Security", - Version: "0.24.2", + Version: "0.25.2", }, Vulnerabilities: []v1alpha1.Vulnerability{}, }, From 942fc57b4b7752e90e7cecda0e9eddabc8066be8 Mon Sep 17 00:00:00 2001 From: Sashi Date: Thu, 7 Apr 2022 23:10:23 +0530 Subject: [PATCH 6/6] Update docs and add dbRepository to yaml values --- deploy/static/03-starboard-operator.config.yaml | 1 + deploy/static/starboard.yaml | 1 + docs/vulnerability-scanning/trivy.md | 1 + 3 files changed, 3 insertions(+) diff --git a/deploy/static/03-starboard-operator.config.yaml b/deploy/static/03-starboard-operator.config.yaml index dfd4dba02..22f059db4 100644 --- a/deploy/static/03-starboard-operator.config.yaml +++ b/deploy/static/03-starboard-operator.config.yaml @@ -52,6 +52,7 @@ data: trivy.mode: "Standalone" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.timeout: "5m0s" + trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" trivy.resources.requests.cpu: 100m trivy.resources.requests.memory: 100M trivy.resources.limits.cpu: 500m diff --git a/deploy/static/starboard.yaml b/deploy/static/starboard.yaml index a646c3a3a..37206fb82 100644 --- a/deploy/static/starboard.yaml +++ b/deploy/static/starboard.yaml @@ -826,6 +826,7 @@ data: trivy.mode: "Standalone" trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.timeout: "5m0s" + trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" trivy.resources.requests.cpu: 100m trivy.resources.requests.memory: 100M trivy.resources.limits.cpu: 500m diff --git a/docs/vulnerability-scanning/trivy.md b/docs/vulnerability-scanning/trivy.md index aabfde1d6..f7bbc6084 100644 --- a/docs/vulnerability-scanning/trivy.md +++ b/docs/vulnerability-scanning/trivy.md @@ -83,6 +83,7 @@ EOF | CONFIGMAP KEY | DEFAULT | DESCRIPTION | |------------------------------------|------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `trivy.imageRef` | `docker.io/aquasec/trivy:0.25.2` | Trivy image reference | +| `trivy.dbRepository` | `ghcr.io/aquasecurity/trivy-db` | External OCI Registry to download the vulnerability database | | `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. | | `trivy.severity` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | A comma separated list of severity levels reported by Trivy | | `trivy.ignoreUnfixed` | N/A | Whether to show only fixed vulnerabilities in vulnerabilities reported by Trivy. Set to `"true"` to enable it. |