Skip to content

Commit

Permalink
Bump Trivy to v0.54.1 (#2427)
Browse files Browse the repository at this point in the history
* Bump trivy to v0.49.1

* Bump trivy to v0.51.4
    - Fix registry version aquasecurity/trivy#6219; 
    - Fix replace zap with slog aquasecurity/trivy#6466;
        - The fix with slog used a zap to slog bridge (official from zap, but exp). It didn't have a license file, so I hardcoded a commit version that had; 
  - Adopt opts.Align() to validate options object;

* Bump trivy to v0.52.2

* Temp change the workflow trigger to test changes

* Free up space on runner

* Bump trivy to v0.53.0
  - Fix go clear cache aquasecurity/trivy#7010

* Bump trivy to v0.54.1
  - Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; 
  - Adopt package relationships aquasecurity/trivy#7237

* Rollback CI run on target

* Clean 'scan cache clean' code and add timeout to it
  • Loading branch information
romulets authored Aug 13, 2024
1 parent e3cba3a commit c66d2f0
Show file tree
Hide file tree
Showing 7 changed files with 509 additions and 331 deletions.
1 change: 1 addition & 0 deletions .buildkite/scripts/generate_notice.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@
{"name": "github.com/golang/glog", "licenceType": "Apache-2.0"},
{"name": "github.com/spdx/tools-golang", "licenceFile": "LICENSE.code", "licenceType": "Apache-2.0"},
{"name": "github.com/aquasecurity/trivy-policies", "licenceType": "MIT"},
{"name": "github.com/csaf-poc/csaf_distribution/v3", "licenceType": "Apache-2.0"},
]

# Additional third-party, non-source code dependencies, to add to the CSV output.
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,17 @@ jobs:
runs-on: ubuntu-22.04
timeout-minutes: 30
steps:
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
android: true
dotnet: true
haskell: true
large-packages: false
docker-images: true
swap-storage: true

- name: Check out the repo
uses: actions/checkout@v4

Expand Down
171 changes: 96 additions & 75 deletions go.mod

Large diffs are not rendered by default.

604 changes: 378 additions & 226 deletions go.sum

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions internal/flavors/vulnerability.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,15 +20,16 @@ package flavors
import (
"context"
"fmt"
"log/slog"

dlog "github.com/aquasecurity/go-dep-parser/pkg/log"
flog "github.com/aquasecurity/trivy/pkg/fanal/log"
tlog "github.com/aquasecurity/trivy/pkg/log"
"github.com/elastic/beats/v7/libbeat/beat"
agentconfig "github.com/elastic/elastic-agent-libs/config"
"github.com/elastic/elastic-agent-libs/logp"
xlog "github.com/masahiro331/go-xfs-filesystem/log"
"go.uber.org/zap"
"go.uber.org/zap/exp/zapslog"

"github.com/elastic/cloudbeat/internal/config"
"github.com/elastic/cloudbeat/internal/dataprovider"
Expand All @@ -53,9 +54,8 @@ func NewVulnerability(b *beat.Beat, cfg *agentconfig.C) (beat.Beater, error) {
// Override trivy's logger
scanLog := zap.New(log.Core()).Sugar()
dlog.SetLogger(scanLog)
flog.SetLogger(scanLog)
xlog.SetLogger(scanLog)
tlog.Logger = scanLog
tlog.SetDefault(slog.New(zapslog.NewHandler(log.Core())))

ctx, cancel := context.WithCancel(context.Background())

Expand Down
41 changes: 16 additions & 25 deletions internal/vulnerability/runner.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,13 +19,15 @@ package vulnerability

import (
"context"
"errors"
"time"

"github.com/aquasecurity/trivy/pkg/commands/artifact"
"github.com/aquasecurity/trivy/pkg/commands/clean"
fanal_types "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/flag"
trivy_types "github.com/aquasecurity/trivy/pkg/types"
"github.com/elastic/elastic-agent-libs/logp"
"github.com/google/go-containerregistry/pkg/name"
)

type VulnerabilityRunner struct {
Expand All @@ -48,17 +50,18 @@ func NewVulnerabilityRunner(log *logp.Logger) (VulnerabilityRunner, error) {
Quiet: false,
Debug: true,
},
VulnerabilityOptions: flag.VulnerabilityOptions{
VulnType: []string{trivy_types.VulnTypeOS, trivy_types.VulnTypeLibrary},
PackageOptions: flag.PackageOptions{
PkgTypes: []string{trivy_types.PkgTypeOS, trivy_types.PkgTypeLibrary},
PkgRelationships: fanal_types.Relationships,
},
ScanOptions: flag.ScanOptions{
Scanners: []trivy_types.Scanner{trivy_types.VulnerabilityScanner},
RekorURL: "https://rekor.sigstore.dev",
},
DBOptions: flag.DBOptions{
NoProgress: true,
DBRepository: "ghcr.io/aquasecurity/trivy-db",
JavaDBRepository: "ghcr.io/aquasecurity/trivy-java-db",
DBRepository: name.MustParseReference("ghcr.io/aquasecurity/trivy-db:2"),
JavaDBRepository: name.MustParseReference("ghcr.io/aquasecurity/trivy-java-db:1"),
},
}

Expand All @@ -82,24 +85,12 @@ func clearTrivyCache(ctx context.Context, log *logp.Logger) error {
log.Info("Starting VulnerabilityRunner.ClearCache")
defer log.Info("Ending VulnerabilityRunner.ClearCache")

// These are the three available cli settings for clean/reset translated to flag.Options object.
// {CacheOptions: flag.CacheOptions{ClearCache: true}},
// {DBOptions: flag.DBOptions{Reset: true}},
// {MisconfOptions: flag.MisconfOptions{ResetPolicyBundle: true}},
// In our case we will use only the ClearCache option.

errs := make([]error, 0, 2)
r, err := artifact.NewRunner(ctx, flag.Options{CacheOptions: flag.CacheOptions{ClearCache: true}})
if err != nil {
if !errors.Is(err, artifact.SkipScan) {
errs = append(errs, err)
}
}

// it should never go here (NewRunner should always return artifact.SkipScan and nil runner), but just in case it goes, lets close the runner.
if r != nil {
errs = append(errs, r.Close(ctx))
}

return errors.Join(errs...)
return clean.Run(ctx, flag.Options{
CleanOptions: flag.CleanOptions{
CleanScanCache: true,
},
GlobalOptions: flag.GlobalOptions{
Timeout: 5 * time.Second,
},
})
}
6 changes: 4 additions & 2 deletions internal/vulnerability/scanner.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"time"

db_types "github.com/aquasecurity/trivy-db/pkg/types"
fanal_types "github.com/aquasecurity/trivy/pkg/fanal/types"
"github.com/aquasecurity/trivy/pkg/flag"
trivy_types "github.com/aquasecurity/trivy/pkg/types"
"github.com/elastic/elastic-agent-libs/logp"
Expand Down Expand Up @@ -117,8 +118,9 @@ func (f VulnerabilityScanner) scan(ctx context.Context, snap ec2.EBSSnapshot) {
Quiet: false,
Debug: true,
},
VulnerabilityOptions: flag.VulnerabilityOptions{
VulnType: []string{trivy_types.VulnTypeOS, trivy_types.VulnTypeLibrary},
PackageOptions: flag.PackageOptions{
PkgTypes: []string{trivy_types.PkgTypeOS, trivy_types.PkgTypeLibrary},
PkgRelationships: fanal_types.Relationships,
},
ScanOptions: flag.ScanOptions{
Target: fmt.Sprint("ebs:", snap.SnapshotId),
Expand Down

0 comments on commit c66d2f0

Please sign in to comment.