From 9daf7d86aca7c4ceb3fc0fb8cc65b36f970b46c0 Mon Sep 17 00:00:00 2001 From: EricRoux Date: Sat, 8 Oct 2022 01:46:22 +0300 Subject: [PATCH 1/4] add --db-repository options --- helm/harbor-scanner-trivy/templates/statefulset.yaml | 2 ++ helm/harbor-scanner-trivy/values.yaml | 2 ++ pkg/etc/config.go | 1 + pkg/etc/config_test.go | 1 + pkg/trivy/wrapper.go | 4 ++++ pkg/trivy/wrapper_test.go | 3 +++ 6 files changed, 13 insertions(+) diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml index 62588695..4eb82e25 100644 --- a/helm/harbor-scanner-trivy/templates/statefulset.yaml +++ b/helm/harbor-scanner-trivy/templates/statefulset.yaml @@ -69,6 +69,8 @@ spec: value: {{ .Values.scanner.trivy.severity | default "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" | quote }} - name: "SCANNER_TRIVY_IGNORE_UNFIXED" value: {{ .Values.scanner.trivy.ignoreUnfixed | default false | quote }} + - name: "SCANNER_TRIVY_REPOSITORY" + value: {{ .Values.scanner.trivy.repository | default "ghcr.io/aquasecurity/trivy-db" | quote }} - name: "SCANNER_TRIVY_TIMEOUT" value: {{ .Values.scanner.trivy.timeout | quote }} - name: "SCANNER_TRIVY_SKIP_UPDATE" diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml index 1b80f758..d5d9ad32 100644 --- a/helm/harbor-scanner-trivy/values.yaml +++ b/helm/harbor-scanner-trivy/values.yaml @@ -66,6 +66,8 @@ scanner: severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" ## ignoreUnfixed the flag to display only fixed vulnerabilities ignoreUnfixed: false + ## OCI repository to retrieve trivy-db + repository: "ghcr.io/aquasecurity/trivy-db" ## timeout the duration to wait for scan completion timeout: 5m0s ## skipUpdate the flag to enable or disable Trivy DB downloads from GitHub diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 7e1e8219..d4f83d80 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -32,6 +32,7 @@ type Trivy struct { Severity string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"` IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"` IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` + Repository string `env:"SCANNER_TRIVY_REPOSITORY"` SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go index e3758756..5e0a520e 100644 --- a/pkg/etc/config_test.go +++ b/pkg/etc/config_test.go @@ -155,6 +155,7 @@ func TestGetConfig(t *testing.T) { "SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "SCANNER_TRIVY_SEVERITY": "CRITICAL", "SCANNER_TRIVY_IGNORE_UNFIXED": "true", + "SCANNER_TRIVY_REPOSITORY": "ghcr.io/aquasecurity/trivy-db", "SCANNER_TRIVY_INSECURE": "true", "SCANNER_TRIVY_SKIP_UPDATE": "true", "SCANNER_TRIVY_OFFLINE_SCAN": "true", diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go index 1653b61f..9379934a 100644 --- a/pkg/trivy/wrapper.go +++ b/pkg/trivy/wrapper.go @@ -144,6 +144,10 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm args = append([]string{"--ignore-policy", w.config.IgnorePolicy}, args...) } + if w.config.Repository != "" { + args = append([]string{"--db-repository", w.config.Repository}, args...) + } + name, err := w.ambassador.LookPath(trivyCmd) if err != nil { return nil, err diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go index 04b0d42f..40d98277 100644 --- a/pkg/trivy/wrapper_test.go +++ b/pkg/trivy/wrapper_test.go @@ -98,6 +98,7 @@ func TestWrapper_Scan(t *testing.T) { Severity: "CRITICAL,MEDIUM", IgnoreUnfixed: true, IgnorePolicy: "/home/scanner/opa/policy.rego", + Repository: "ghcr.io/aquasecurity/trivy-db", SkipUpdate: true, GitHubToken: "", Insecure: true, @@ -118,6 +119,8 @@ func TestWrapper_Scan(t *testing.T) { "image", "--ignore-policy", "/home/scanner/opa/policy.rego", + "--db-repository", + "ghcr.io/aquasecurity/trivy-db", "--skip-update", "--ignore-unfixed", "--no-progress", From 1020d3c0f16243dae22e62112f5e7a60258f4e88 Mon Sep 17 00:00:00 2001 From: EricRoux Date: Sat, 8 Oct 2022 01:57:41 +0300 Subject: [PATCH 2/4] Updating the indentation --- pkg/etc/config.go | 2 +- pkg/etc/config_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/etc/config.go b/pkg/etc/config.go index d4f83d80..e5ff30ea 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -32,7 +32,7 @@ type Trivy struct { Severity string `env:"SCANNER_TRIVY_SEVERITY" envDefault:"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"` IgnoreUnfixed bool `env:"SCANNER_TRIVY_IGNORE_UNFIXED" envDefault:"false"` IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` - Repository string `env:"SCANNER_TRIVY_REPOSITORY"` + Repository string `env:"SCANNER_TRIVY_REPOSITORY"` SkipUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go index 5e0a520e..44cf88ab 100644 --- a/pkg/etc/config_test.go +++ b/pkg/etc/config_test.go @@ -155,7 +155,7 @@ func TestGetConfig(t *testing.T) { "SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "SCANNER_TRIVY_SEVERITY": "CRITICAL", "SCANNER_TRIVY_IGNORE_UNFIXED": "true", - "SCANNER_TRIVY_REPOSITORY": "ghcr.io/aquasecurity/trivy-db", + "SCANNER_TRIVY_REPOSITORY": "ghcr.io/aquasecurity/trivy-db", "SCANNER_TRIVY_INSECURE": "true", "SCANNER_TRIVY_SKIP_UPDATE": "true", "SCANNER_TRIVY_OFFLINE_SCAN": "true", From ddba75981f4316e7e1b88e20d243cbbcd4850309 Mon Sep 17 00:00:00 2001 From: EricRoux <61687153+EricRoux@users.noreply.github.com> Date: Tue, 11 Oct 2022 15:24:02 +0300 Subject: [PATCH 3/4] Changing the sequence of arguments for unit tests --- pkg/trivy/wrapper.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go index 9379934a..d917530d 100644 --- a/pkg/trivy/wrapper.go +++ b/pkg/trivy/wrapper.go @@ -140,13 +140,13 @@ func (w *wrapper) prepareScanCmd(imageRef ImageRef, outputFile string) (*exec.Cm args = append([]string{"--offline-scan"}, args...) } - if w.config.IgnorePolicy != "" { - args = append([]string{"--ignore-policy", w.config.IgnorePolicy}, args...) - } - if w.config.Repository != "" { args = append([]string{"--db-repository", w.config.Repository}, args...) } + + if w.config.IgnorePolicy != "" { + args = append([]string{"--ignore-policy", w.config.IgnorePolicy}, args...) + } name, err := w.ambassador.LookPath(trivyCmd) if err != nil { From b72ce9a3ae9e41ee07cdf935f0ec83367d7faf2e Mon Sep 17 00:00:00 2001 From: EricRoux <61687153+EricRoux@users.noreply.github.com> Date: Thu, 20 Oct 2022 02:23:39 +0300 Subject: [PATCH 4/4] Changing the value of argument for unit tests --- pkg/etc/config_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go index 44cf88ab..3a5d4cba 100644 --- a/pkg/etc/config_test.go +++ b/pkg/etc/config_test.go @@ -155,7 +155,7 @@ func TestGetConfig(t *testing.T) { "SCANNER_TRIVY_SECURITY_CHECKS": "vuln", "SCANNER_TRIVY_SEVERITY": "CRITICAL", "SCANNER_TRIVY_IGNORE_UNFIXED": "true", - "SCANNER_TRIVY_REPOSITORY": "ghcr.io/aquasecurity/trivy-db", + "SCANNER_TRIVY_REPOSITORY": "", "SCANNER_TRIVY_INSECURE": "true", "SCANNER_TRIVY_SKIP_UPDATE": "true", "SCANNER_TRIVY_OFFLINE_SCAN": "true",