Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Omit the trivy DB schema version for backwards compatibility with trivy < 0.50.0 #1063

Merged
merged 1 commit into from
Oct 2, 2024
Merged

Omit the trivy DB schema version for backwards compatibility with trivy < 0.50.0 #1063

merged 1 commit into from
Oct 2, 2024

Conversation

wallrj
Copy link
Member

@wallrj wallrj commented Oct 2, 2024

In #1062 (comment) @inteon noticed that the trivy tests were now failing on cert-manager 1.12 and 1.14 branches.
Those releases use an older version of trivy < 0.50.0 which unconditionally appends the schema version (tag) to the supplied DB registry.
Newer versions of trivy >= 0.50.0, only append the schema version if it has not been supplied, and log a backwards compatibility message in that case:

So to support both old and new versions, I've removed the schema version from the DB registry variable.

Testing

I ran trivy on all the release branches and observed it download the DB successfully:

for release in 1.12 1.14 1.15 1.16; do 
  echo "RELEASE: $release"; 
  git checkout "origin/release-$release"; 
  > ~/.cache/trivy/db/metadata.json; 
  make trivy-scan-acmesolver TRIVY_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-db > $release.stdout; 
done
RELEASE: 1.12
Previous HEAD position was e381fb0c2 Merge pull request #7318 from cert-manager-bot/cherry-pick-7315-to-release-1.16
HEAD is now at 231a4bdfc Merge pull request #7224 from wallrj/update-cmd/ctl/v1.12.13
2024-10-02T06:37:52.482+0100    INFO    Need to update DB
2024-10-02T06:37:52.482+0100    INFO    DB Repository: public.ecr.aws/aquasecurity/trivy-db
2024-10-02T06:37:52.482+0100    INFO    Downloading DB...
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 2.19 MiB p/s 25s
...
RELEASE: 1.14
Previous HEAD position was 231a4bdfc Merge pull request #7224 from wallrj/update-cmd/ctl/v1.12.13
HEAD is now at 99d4b3189 Merge pull request #7225 from ThatsMrTalbot/chore/release-1.14-update-base-images
2024-10-02T06:38:26.759+0100    INFO    Need to update DB
2024-10-02T06:38:26.759+0100    INFO    DB Repository: public.ecr.aws/aquasecurity/trivy-db
2024-10-02T06:38:26.759+0100    INFO    Downloading DB...
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 1.92 MiB p/s 28s
...
RELEASE: 1.15
Previous HEAD position was 99d4b3189 Merge pull request #7225 from ThatsMrTalbot/chore/release-1.14-update-base-images
HEAD is now at 3155085d6 Merge pull request #7305 from SgtCoDFish/release-1.15-moretesting
2024-10-02T06:39:00.505+0100    INFO    Need to update DB
2024-10-02T06:39:00.505+0100    INFO    DB Repository: public.ecr.aws/aquasecurity/trivy-db
2024-10-02T06:39:00.505+0100    INFO    Downloading DB...
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 2.25 MiB p/s 24s
...
RELEASE: 1.16
Previous HEAD position was 3155085d6 Merge pull request #7305 from SgtCoDFish/release-1.15-moretesting
HEAD is now at e381fb0c2 Merge pull request #7318 from cert-manager-bot/cherry-pick-7315-to-release-1.16
2024-10-02T06:39:30+01:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-02T06:39:30+01:00       INFO    [db] Need to update DB
2024-10-02T06:39:30+01:00       INFO    [db] Downloading DB...  repository="public.ecr.aws/aquasecurity/trivy-db:2"
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 2.20 MiB p/s 25s
...

@cert-manager-prow cert-manager-prow bot added dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 2, 2024
@wallrj wallrj requested a review from inteon October 2, 2024 06:07
inteon
inteon reviewed Oct 2, 2024
View reviewed changes
Copy link
Member

@inteon inteon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
/lgtm

@cert-manager-prow cert-manager-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 2, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: inteon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 2, 2024
@cert-manager-prow cert-manager-prow bot merged commit 6c4018e into cert-manager:master Oct 2, 2024
6 checks passed
@cert-manager-prow
Copy link
Contributor

@wallrj: Updated the job-config configmap in namespace default at cluster default using the following files:

  • key config.yaml using file config/jobs/cert-manager/config.yaml

In response to this:

In #1062 (comment) @inteon noticed that the trivy tests were now failing on cert-manager 1.12 and 1.14 branches.
Those releases use an older version of trivy < 0.50.0 which unconditionally appends the schema version (tag) to the supplied DB registry.
Newer versions of trivy >= 0.50.0, only append the schema version if it has not been supplied, and log a backwards compatibility message in that case:

So to support both old and new versions, I've removed the schema version from the DB registry variable.

Testing

I ran trivy on all the release branches and observed it download the DB successfully:

for release in 1.12 1.14 1.15 1.16; do 
 echo "RELEASE: $release"; 
 git checkout "origin/release-$release"; 
 > ~/.cache/trivy/db/metadata.json; 
 make trivy-scan-acmesolver TRIVY_DB_REPOSITORY=public.ecr.aws/aquasecurity/trivy-db > $release.stdout; 
done
RELEASE: 1.12
Previous HEAD position was e381fb0c2 Merge pull request #7318 from cert-manager-bot/cherry-pick-7315-to-release-1.16
HEAD is now at 231a4bdfc Merge pull request #7224 from wallrj/update-cmd/ctl/v1.12.13
2024-10-02T06:37:52.482+0100    INFO    Need to update DB
2024-10-02T06:37:52.482+0100    INFO    DB Repository: public.ecr.aws/aquasecurity/trivy-db
2024-10-02T06:37:52.482+0100    INFO    Downloading DB...
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 2.19 MiB p/s 25s
...
RELEASE: 1.14
Previous HEAD position was 231a4bdfc Merge pull request #7224 from wallrj/update-cmd/ctl/v1.12.13
HEAD is now at 99d4b3189 Merge pull request #7225 from ThatsMrTalbot/chore/release-1.14-update-base-images
2024-10-02T06:38:26.759+0100    INFO    Need to update DB
2024-10-02T06:38:26.759+0100    INFO    DB Repository: public.ecr.aws/aquasecurity/trivy-db
2024-10-02T06:38:26.759+0100    INFO    Downloading DB...
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 1.92 MiB p/s 28s
...
RELEASE: 1.15
Previous HEAD position was 99d4b3189 Merge pull request #7225 from ThatsMrTalbot/chore/release-1.14-update-base-images
HEAD is now at 3155085d6 Merge pull request #7305 from SgtCoDFish/release-1.15-moretesting
2024-10-02T06:39:00.505+0100    INFO    Need to update DB
2024-10-02T06:39:00.505+0100    INFO    DB Repository: public.ecr.aws/aquasecurity/trivy-db
2024-10-02T06:39:00.505+0100    INFO    Downloading DB...
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 2.25 MiB p/s 24s
...
RELEASE: 1.16
Previous HEAD position was 3155085d6 Merge pull request #7305 from SgtCoDFish/release-1.15-moretesting
HEAD is now at e381fb0c2 Merge pull request #7318 from cert-manager-bot/cherry-pick-7315-to-release-1.16
2024-10-02T06:39:30+01:00       INFO    Adding schema version to the DB repository for backward compatibility   repository="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-02T06:39:30+01:00       INFO    [db] Need to update DB
2024-10-02T06:39:30+01:00       INFO    [db] Downloading DB...  repository="public.ecr.aws/aquasecurity/trivy-db:2"
53.93 MiB / 53.93 MiB [------------------------------------------------------------------------------------] 100.00% 2.20 MiB p/s 25s
...

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@wallrj wallrj deleted the trivy-db-mirror-2 branch October 2, 2024 06:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inteon inteon inteon left review comments

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. lgtm Indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wallrj @inteon