Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(adapters): Revert new adapters #1302

Merged
merged 5 commits into from
May 4, 2023
Merged

fix(adapters): Revert new adapters #1302

merged 5 commits into from
May 4, 2023

Conversation

simar7
Copy link
Member

@simar7 simar7 commented May 3, 2023

The newly added adapters require a MAJOR policy bundle update so that they can work with older versions of Trivy.

Without a new MAJOR policy bundle update, the following issue will happen: aquasecurity/trivy#4124

The plan is to merge all adapters at once (for all new AWS services at least), when they are all ready. At that point we will bump the MAJOR policy bundle version as per short term proposal idea described in this proposal here: aquasecurity/trivy#4134

@simar7 simar7 self-assigned this May 3, 2023
@simar7 simar7 mentioned this pull request May 3, 2023
Merged
@simar7 simar7 marked this pull request as ready for review May 3, 2023 22:55
@simar7 simar7 requested a review from giorod3 as a code owner May 3, 2023 22:55
@simar7 simar7 requested a review from knqyf263 May 3, 2023 22:57
@simar7
Copy link
Member Author

simar7 commented May 3, 2023

hi @knqyf263 - if you have time could you help me test this? Below are the instructions to test:

  1. Run a local docker registry to push the bundle to:
docker run -it --rm -p 5000:5000 registry
  1. Create a policy bundle with this branch. You can use the following operations:
rm -rf bundle bundle.tar.gz && make bundle  && oras push localhost:5000/defsec:1 --config /dev/null:application/vnd.cncf.openpolicyagent.config.v1+json  bundle.tar.gz:application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip
  1. Build an "old" version of Trivy (anything works, I selected the v0.40.0 tag), build it with the following patch:
diff --git a/pkg/policy/policy.go b/pkg/policy/policy.go
index 19d27bd34..1e4c3076b 100644
--- a/pkg/policy/policy.go
+++ b/pkg/policy/policy.go
@@ -18,8 +18,10 @@ import (
 )
 
 const (
-       bundleVersion    = 0 // Latest released MAJOR version for defsec
-       bundleRepository = "ghcr.io/aquasecurity/defsec"
+       bundleVersion    = 1 // Latest released MAJOR version for defsec
+       bundleRepository = "localhost:5000/defsec"
        policyMediaType  = "application/vnd.cncf.openpolicyagent.layer.v1.tar+gzip"
        updateInterval   = 24 * time.Hour
 )

Build with mage build as normal after applying this patch.

  1. Run Trivy as following:
rm -rf ~/Library/Caches/trivy/ &&  ~/repos/trivy/trivy --debug config .

Where the trivy is the locally built binary in step 2. The above should clear the policy bundle on disk, download a locally built one from step 1, complete the scan and not throw any errors.

@knqyf263
Copy link
Contributor

knqyf263 commented May 4, 2023

I confirmed it worked.

$ rm -rf ~/Library/Caches/trivy/policy/content/policies
$ make bundle
$ tar xvf bundle.tar.gz -C ~/Library/Caches/trivy/policy/content 
$ trivy config .

@simar7 simar7 merged commit 8eed0d2 into master May 4, 2023
@simar7 simar7 deleted the revert-adapters branch May 4, 2023 23:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giorod3 giorod3 Awaiting requested review from giorod3

@knqyf263 knqyf263 Awaiting requested review from knqyf263

Assignees

@simar7 simar7

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@simar7 @knqyf263