Introduction

This file documents the steps to install and run trivy that supports Wind River Linux.

There are two methods to install and run trivy that supports Wind River Linux. One can choose either of the two methods to be able to run trivy, though the steps to run trivy is different for each method of installation.

The docker image is

⚠ WARNING: This file is written and verified for hosts running Ubuntu 20.04 LTS and Ubuntu 22.04 LTS as the operating system (OS). If the host is running any other distributions of OS, any information provided in this file might not be accurate. ⚠ WARNING: Trivy (e.g. v0.56.2) requires go v1.22

Method 1: Installing and Runing trivy as a Binary on Host

Prerequisite Packages and Applications on Host

Please install the following packages on local host before attempt at installation.

build-essential
git

Please install the Go Programming Language following the instructions on the Go offical website: Download and install - The Go Programming Language.

Steps to Install

To install on the host, execute the following commands:

$ git clone https://github.com/Wind-River/wr-trivy-dist.git
$ cd wr-trivy-dist
$ ./setup.sh install

Steps to Run

The location of the binary is at:

{path to wr-trivy-dist repo}/trivy/trivy

where {path to wr-trivy-dist repo} is the path to the directory that contains the clone of wr-trivy-dist repository as described in section Steps to Install.

Command to run trivy scan on a Docker image:

$ {path to wr-trivy-dist repo}/trivy/trivy image {Docker image reference}

where {Docker image reference} is a reference to a Docker image listed under the result of executing command $ docker image list.

Example command to run trivy scan on a Docker image:

$ {path to wr-trivy-dist repo}/trivy/trivy image windriver/wrlx-image:latest

Steps to Update Database

To update the CVE database, execute the following commands:

$ cd {path to wr-trivy-dist repo}
$ ./setup.sh update_db

Note that {path to wr-trivy-dist repo} is the path to the directory that contains the clone of wr-trivy-dist repository as described in section Steps to Install.

Changes to the File System

TBD

Method 2: Installing trivy using Docker Image

Prerequisite Packages and Applications on Host

TBD

Steps to Install

$ git clone https://github.com/Wind-River/wr-trivy-dist.git
$ cd wr-trivy-dist
$ docker build -t wr-trivy .

Steps to Run

$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock wr-trivy:latest trivy image {Docker image reference on host}

⚠ WARNING: Access to the host docker images is achieved by binding the socket /var/run/docker.sock the Docker daemon listens to a file in the container. This is a huge security risk as such binding grants root access on host to the docker containers spawned from this image.

Steps to Update Database

TBD

Changes to the File System

TBD

Legal Notices

Disclaimer of Warranty / No Support: Wind River does not provide support and maintenance services for this software, under Wind River’s standard Software Support and Maintenance Agreement or otherwise. Unless required by applicable law, Wind River provides the software (and each contributor provides its contribution) on an “AS IS” BASIS, WITHOUT WARRANTIES OF ANY KIND, either express or implied, including, without limitation, any warranties of TITLE, NONINFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the software and assume any risks associated with your exercise of permissions under the license.