Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

plugin.yaml differs with release version #570

Open
fwiedmann opened this issue Mar 20, 2023 · 2 comments
Open

plugin.yaml differs with release version #570

fwiedmann opened this issue Mar 20, 2023 · 2 comments

Comments

@fwiedmann
Copy link

Hey hey ! 😄

In our current Aqua setup we build a custom trivy image with the aqua plugin included.
For installing the plugin we pin the version by specifying the release tag in the URL (supported by the go-getter lib).

We realized that the specified plugin version in the plugin.yaml is always the version which was released before the pinned release.

Currently when installing the plugin with the latest release tag we get the wrong version of the plugin installed, due to the wrong pinned version.

Install of version 0.123.3 will acutally install 0.121.2

See here:
https://github.com/aquasecurity/trivy-plugin-aqua/blob/v0.123.2/plugin.yaml#L3

Is this a desired release behavior or a release bug? :)

Kind regards

Felix

@naortalmor1
Copy link
Collaborator

Hey @fwiedmann
It was a bug, we've fixed this issue :)

@tectime
Copy link

tectime commented Mar 27, 2023

Hey @naortalmor1, this is Rob from Aqua:

Below you can see the last comment from the internal ticket https://support.aquasec.com/a/tickets/29768

The problem isn't that the master branch is not being latest, but rather than it's not possible to easily pin the version down to create appropriate docker images.
https://github.com/aquasecurity/trivy-plugin-aqua/blob/v0.125.0/plugin.yaml#L3
↑ as you can see here, the tag is v0.125.0 but in the plugin.yaml it is still v0.124.2
which means, installing the plugin using

trivy plugin install github.com/aquasecurity/trivy-plugin-aqua?ref=v0.125.0

is not possible, as it will ALWAYS install the old one (v0.124.2) instead (because of the old plugin.yaml). This is due to the fact that the plugin.yaml is updated after the release, instead of it being with the release.
As mentioned in my first message, using

trivy plugin install github.com/aquasecurity/trivy-plugin-aqua?ref=update-plugin-links-$AQUA_PLUGIN_VERSION

does solve the issue, but as you can imagine, pinning versions based on temporary branches is not really advised. So we went with a manual installation instead for the time being.

The question is, if it is intended that the plugin.yaml is updated with an pull request after a release has being made. I know that Github has a file limit of 50MB (100MB) and it recommends using releases (or LFS/BLOBs) instead; but we would like to have a reliable tag/release so we can pin the right version down using ?ref= and not with downloading it manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants