Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade trivy and harbor-scanner-trivy for harbor v2.11.1 #3932

Merged
merged 1 commit into from
Oct 16, 2024

Conversation

sp1999
Copy link
Member

@sp1999 sp1999 commented Oct 16, 2024

Issue #, if available:

#2401

Description of changes:

This PR does the following:

  • Updates aquasecurity/trivy to v0.56.2 instead of harbor dependency v0.54.1 as the latest trivy version includes #7600 which fixes the go.mod dependencies to remove the broken replace directives
  • Removes the 0001-Replace-mitchellh-os-ext-with-kardianos-os-ext-modul.patch from trivy as upstream removed the dependency on github.com/mitchellh/osext module in #7249 as part of v0.54.0 release
  • Adds a new patch to replace trivy dependency using some non-standard public domain license and fix attribution generation error:
E1016 06:35:01.744101     246 library.go:132] Failed to find license for github.com/xi2/xz: cannot find a known open source license for "/eks-anywhere-build-tooling/projects/aquasecurity/trivy/trivy/vendor/github.com/xi2/xz" whose name matches regexp ^(?i)((UN)?LICEN(S|C)E|COPYING|README|NOTICE).*$ and locates up until "/eks-anywhere-build-tooling/projects/aquasecurity/trivy/trivy/vendor"
F1016 06:35:08.701095     246 main.go:77] one or more libraries have an incompatible/unknown license: map["unknown":["github.com/xi2/xz"]]
  • Updates aquasecurity/harbor-scanner-trivy to v0.31.4

Upstream source of truth:

https://github.com/goharbor/harbor/blob/v2.11.1/Makefile#L107-L108

Changelog:

Trivy: https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md
Harbor-scanner-trivy: https://github.com/aquasecurity/harbor-scanner-trivy/releases/tag/v0.31.4

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@sp1999 sp1999 force-pushed the update-harbor-dependencies branch from 8ed0028 to 9550af5 Compare October 16, 2024 08:02
@sp1999 sp1999 changed the title [WIP] Upgrade trivy and harbor-scanner-trivy for harbor v2.11.1 Upgrade trivy and harbor-scanner-trivy for harbor v2.11.1 Oct 16, 2024
@eks-distro-bot eks-distro-bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed do-not-merge/work-in-progress size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 16, 2024
@sp1999
Copy link
Member Author

sp1999 commented Oct 16, 2024

/approve

@eks-distro-bot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sp1999

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@abhay-krishna
Copy link
Member

/lgtm

@eks-distro-bot eks-distro-bot merged commit 788a047 into aws:main Oct 16, 2024
4 checks passed
@sp1999 sp1999 deleted the update-harbor-dependencies branch October 16, 2024 16:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved lgtm size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants