Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(db): Add dbRepository flag to get advisory database from OCI registry #1873

Merged
merged 7 commits into from
Mar 31, 2022
Merged

feat(db): Add dbRepository flag to get advisory database from OCI registry #1873

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
bd243bc
feat(db): Add dbRepository flag to get advisory database from OCI reg…
ksashikumar Mar 23, 2022
6b8cc3e
Review comment: use WithDBRepository
ksashikumar Mar 24, 2022
003173f
Fix db package name
ksashikumar Mar 25, 2022
1dceb4f
Review comment: refactor to functional option
ksashikumar Mar 28, 2022
cbe276a
Merge branch 'main' into sk/add-db-repository
knqyf263 Mar 31, 2022
f96fd19
refactor(db): update a log message
knqyf263 Mar 31, 2022
ceaa7c7
style: gofmt
knqyf263 Mar 31, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions docs/vulnerability/examples/db.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,3 +36,10 @@ This is useful to initialize workers in Continuous Integration systems.
```
$ trivy image --download-db-only
```

## DB Repository
`Trivy` could also download the vulnerability database from an external OCI registry by using `--db-repository` option.

```
$ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db
```
9 changes: 9 additions & 0 deletions pkg/commands/app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,13 @@ var (
EnvVars: []string{"TRIVY_CUSTOM_HEADERS"},
}

dbRepositoryFlag = cli.StringFlag{
Name: "db-repository",
Usage: "OCI repository to retrieve trivy-db from",
Value: "ghcr.io/aquasecurity/trivy-db",
EnvVars: []string{"TRIVY_DB_REPOSITORY"},
}

// Global flags
globalFlags = []cli.Flag{
&quietFlag,
Expand Down Expand Up @@ -447,6 +454,7 @@ func NewImageCommand() *cli.Command {
&redisBackendKey,
&offlineScan,
&insecureFlag,
&dbRepositoryFlag,
stringSliceFlag(skipFiles),
stringSliceFlag(skipDirs),
},
Expand Down Expand Up @@ -483,6 +491,7 @@ func NewFilesystemCommand() *cli.Command {
&ignorePolicy,
&listAllPackages,
&offlineScan,
&dbRepositoryFlag,
stringSliceFlag(skipFiles),
stringSliceFlag(skipDirs),

Expand Down
2 changes: 1 addition & 1 deletion pkg/commands/artifact/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ func initCache(c Option) (cache.Cache, error) {
func initDB(c Option) error {
// download the database file
noProgress := c.Quiet || c.NoProgress
if err := operation.DownloadDB(c.AppVersion, c.CacheDir, noProgress, c.SkipDBUpdate); err != nil {
if err := operation.DownloadDB(c.AppVersion, c.CacheDir, c.DBRepository, noProgress, c.SkipDBUpdate); err != nil {
return err
}

Expand Down
5 changes: 3 additions & 2 deletions pkg/commands/operation/operation.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,8 +95,8 @@ func (c Cache) ClearArtifacts() error {
}

// DownloadDB downloads the DB
func DownloadDB(appVersion, cacheDir string, quiet, skipUpdate bool) error {
client := db.NewClient(cacheDir, quiet)
func DownloadDB(appVersion, cacheDir, dbRepository string, quiet, skipUpdate bool) error {
client := db.NewClient(cacheDir, quiet, db.WithDBRepository(dbRepository))
ctx := context.Background()
needsUpdate, err := client.NeedsUpdate(appVersion, skipUpdate)
if err != nil {
Expand All @@ -106,6 +106,7 @@ func DownloadDB(appVersion, cacheDir string, quiet, skipUpdate bool) error {
if needsUpdate {
log.Logger.Info("Need to update DB")
log.Logger.Info("Downloading DB...")
log.Logger.Infof("Repository: %s", dbRepository)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I want to put it before Downloading DB....

if err = client.Download(ctx, cacheDir); err != nil {
return xerrors.Errorf("failed to download vulnerability DB: %w", err)
}
Expand Down
2 changes: 2 additions & 0 deletions pkg/commands/option/db.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ type DBOption struct {
SkipDBUpdate bool
Light bool
NoProgress bool
DBRepository string
}

// NewDBOption is the factory method to return the DBOption
Expand All @@ -24,6 +25,7 @@ func NewDBOption(c *cli.Context) DBOption {
SkipDBUpdate: c.Bool("skip-db-update"),
Light: c.Bool("light"),
NoProgress: c.Bool("no-progress"),
DBRepository: c.String("db-repository"),
}
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/commands/server/run.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ func run(c Config) (err error) {
}

// download the database file
if err = operation.DownloadDB(c.AppVersion, c.CacheDir, true, c.SkipDBUpdate); err != nil {
if err = operation.DownloadDB(c.AppVersion, c.CacheDir, c.DBRepository, true, c.SkipDBUpdate); err != nil {
return err
}

Expand Down
23 changes: 15 additions & 8 deletions pkg/db/db.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,7 @@ import (
"github.com/aquasecurity/trivy/pkg/log"
)

const (
dbRepository = "ghcr.io/aquasecurity/trivy-db"
dbMediaType = "application/vnd.aquasec.trivy.db.layer.v1.tar+gzip"
)
const dbMediaType = "application/vnd.aquasec.trivy.db.layer.v1.tar+gzip"

// Operation defines the DB operations
type Operation interface {
Expand All @@ -27,8 +24,9 @@ type Operation interface {
}

type options struct {
artifact *oci.Artifact
clock clock.Clock
artifact *oci.Artifact
clock clock.Clock
dbRepository string
}

// Option is a functional option
Expand All @@ -41,6 +39,15 @@ func WithOCIArtifact(art *oci.Artifact) Option {
}
}


// WithDBRepository takes a dbRepository
func WithDBRepository(dbRepository string) Option {
knqyf263 marked this conversation as resolved.
Show resolved Hide resolved
return func(opts *options) {
opts.dbRepository = dbRepository
}
}


// WithClock takes a clock
func WithClock(clock clock.Clock) Option {
return func(opts *options) {
Expand Down Expand Up @@ -138,7 +145,7 @@ func (c *Client) Download(ctx context.Context, dst string) error {
log.Logger.Debug("no metadata file")
}

if err := c.populateOCIArtifact(); err != nil {
if err := c.populateOCIArtifact(c.dbRepository); err != nil {
return xerrors.Errorf("OCI artifact error: %w", err)
}

Expand Down Expand Up @@ -171,7 +178,7 @@ func (c *Client) updateDownloadedAt(dst string) error {
return nil
}

func (c *Client) populateOCIArtifact() error {
func (c *Client) populateOCIArtifact(dbRepository string) error {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have dbRepository as a member of Client. Do we need to pass it as an argument? We can access c.dbRepository in this method.

if c.artifact == nil {
repo := fmt.Sprintf("%s:%d", dbRepository, db.SchemaVersion)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like

Suggested change
repo := fmt.Sprintf("%s:%d", dbRepository, db.SchemaVersion)
repo := fmt.Sprintf("%s:%d", c.dbRepository, db.SchemaVersion)

art, err := oci.NewArtifact(repo, dbMediaType, c.quiet)
Expand Down
3 changes: 2 additions & 1 deletion pkg/db/db_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -197,6 +197,7 @@ func TestClient_Download(t *testing.T) {
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
cacheDir := t.TempDir()
dbRepository := "ghcr.io/aquasecurity/trivy-db"

// Mock image
img := new(fakei.FakeImage)
Expand All @@ -206,7 +207,7 @@ func TestClient_Download(t *testing.T) {
art, err := oci.NewArtifact("db", mediaType, true, oci.WithImage(img))
require.NoError(t, err)

client := db.NewClient(cacheDir, true, db.WithOCIArtifact(art), db.WithClock(timeDownloadedAt))
client := db.NewClient(cacheDir, true, db.WithOCIArtifact(art), db.WithClock(timeDownloadedAt), db.WithDBRepository(dbRepository))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

err = client.Download(context.Background(), cacheDir)
if tt.wantErr != "" {
require.Error(t, err)
Expand Down
3 changes: 2 additions & 1 deletion pkg/rpc/server/listen.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
)

const updateInterval = 1 * time.Hour
const dbRepository = "ghcr.io/aquasecurity/trivy-db"

// Server represents Trivy server
type Server struct {
Expand Down Expand Up @@ -50,7 +51,7 @@ func (s Server) ListenAndServe(serverCache cache.Cache) error {
dbUpdateWg := &sync.WaitGroup{}

go func() {
worker := newDBWorker(dbc.NewClient(s.cacheDir, true))
worker := newDBWorker(dbc.NewClient(s.cacheDir, true, dbc.WithDBRepository(dbRepository)))
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Then, we don't have to pass the default value here.

ctx := context.Background()
for {
time.Sleep(updateInterval)
Expand Down