From f5d486fd0f4c966737260406a78eccb4bd40a561 Mon Sep 17 00:00:00 2001 From: Benjamin Bordes Date: Sat, 16 Nov 2024 23:50:14 +0100 Subject: [PATCH] feat: support multiple database repositories Signed-off-by: Benjamin Bordes --- README.md | 86 +++++++++--------- helm/harbor-scanner-trivy/README.md | 90 +++++++++---------- .../templates/statefulset.yaml | 4 +- helm/harbor-scanner-trivy/values.yaml | 17 ++-- pkg/etc/config.go | 4 +- pkg/etc/config_test.go | 34 ++++--- pkg/trivy/wrapper.go | 12 +-- pkg/trivy/wrapper_test.go | 8 +- 8 files changed, 136 insertions(+), 119 deletions(-) diff --git a/README.md b/README.md index 9c83869c..585adc92 100644 --- a/README.md +++ b/README.md @@ -44,7 +44,7 @@ The following matrix indicates the version of Trivy and Trivy adapter installed | - | v0.30.20 | [trivy v0.48.1] | | harbor v2.10.0 | v0.30.19 | [trivy v0.47.0] | -Note: The version matrix is not exhaustive. For older versions please refer to https://github.com/aquasecurity/harbor-scanner-trivy +Note: The version matrix is not exhaustive. For older versions please refer to https://github.com/aquasecurity/harbor-scanner-trivy ## Deployment @@ -68,47 +68,47 @@ designated as the default scanner. Configuration of the adapter is done via environment variables at startup. -| Name | Default | Description | -|-----------------------------------------|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. | -| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server | -| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file | -| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file | -| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate | -| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body | -| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response | -| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled | -| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics | -| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory | -| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | -| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | -| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | -| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | -| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | -| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | -| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | -| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. | -| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. | -| `SCANNER_TRIVY_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-db` | OCI repository to retrieve the trivy vulnerability database from | -| `SCANNER_TRIVY_JAVA_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-java-db` | OCI repository to retrieve the Java trivy vulnerability database from | -| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. | -| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) | -| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | -| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion | -| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store | -| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports | -| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis | -| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue | -| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | -| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool | -| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool | -| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | -| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server | -| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply | -| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. | -| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server | -| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server | -| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to | +| Name | Default | Description | +|-----------------------------------------|--------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. | +| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server | +| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file | +| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file | +| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate | +| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body | +| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response | +| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled | +| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics | +| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory | +| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | +| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | +| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | +| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | +| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | +| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | +| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | +| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. | +| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. | +| `SCANNER_TRIVY_DB_REPOSITORY` | `mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db` | OCI repository(ies) to retrieve the trivy vulnerability database in order of priority | +| `SCANNER_TRIVY_JAVA_DB_REPOSITORY` | `mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db` | OCI repository(ies) to retrieve the Java trivy vulnerability database in order of priority | +| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. | +| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) | +| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | +| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion | +| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store | +| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports | +| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis | +| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue | +| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | +| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool | +| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool | +| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | +| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server | +| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply | +| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. | +| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server | +| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server | +| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to | ## Documentation @@ -154,7 +154,7 @@ Please read [CONTRIBUTING.md](CONTRIBUTING.md) for details on our code of conduc requests. --- -Harbor Scanner Adapter for Trivy is an [Aqua Security](https://aquasec.com) open source project. +Harbor Scanner Adapter for Trivy is an [Aqua Security](https://aquasec.com) open source project. Learn about our open source work and portfolio [here](https://www.aquasec.com/products/open-source-projects/). [release-img]: https://img.shields.io/github/release/goharbor/harbor-scanner-trivy.svg?logo=github diff --git a/helm/harbor-scanner-trivy/README.md b/helm/harbor-scanner-trivy/README.md index f63159e5..6f931dc3 100644 --- a/helm/harbor-scanner-trivy/README.md +++ b/helm/harbor-scanner-trivy/README.md @@ -73,51 +73,51 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the scanner adapter chart and their default values. -| Parameter | Description | Default | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------| -| `image.registry` | Image registry | `docker.io` | -| `image.repository` | Image name | `aquasec/harbor-scanner-trivy` | -| `image.tag` | Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `replicaCount` | Number of scanner adapter Pods to run | `1` | -| `scanner.logLevel` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it | `info` | -| `scanner.api.tlsEnabled` | The flag to enable or disable TLS for HTTP | `true` | -| `scanner.api.tlsCertificate` | The absolute path to the x509 certificate file | | -| `scanner.api.tlsKey` | The absolute path to the x509 private key file | | -| `scanner.api.readTimeout` | The maximum duration for reading the entire request, including the body | `15s` | -| `scanner.api.writeTimeout` | The maximum duration before timing out writes of the response | `15s` | -| `scanner.api.idleTimeout` | The maximum amount of time to wait for the next request when keep-alives are enabled | `60s` | -| `scanner.trivy.cacheDir` | Trivy cache directory | `/home/scanner/.cache/trivy` | -| `scanner.trivy.reportsDir` | Trivy reports directory | `/home/scanner/.cache/reports` | -| `scanner.trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | -| `scanner.trivy.vulnType` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | `os,library` | -| `scanner.trivy.ignorepolicy` | The OPA rego script used by Trivy to evaluate each vulnerability | ` ` | -| `scanner.trivy.severity` | Comma-separated list of vulnerabilities severities to be displayed | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `scanner.trivy.timeout` | The duration to wait for scan completion | `5m0s` | -| `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | -| `scanner.trivy.skipJavaDBUpdate` | The flag to enable or disable Trivy Java DB downloads from GitHub | `ghcr.io/aquasecurity/trivy-db` | -| `scanner.trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-java-db` | -| `scanner.trivy.javaDBRepository` | OCI repository to retrieve the Java trivy vulnerability database from | `false` | -| `scanner.trivy.offlineScan` | The flag to disable external API requests to identify dependencies | `false` | -| `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | -| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `scanner.store.redisNamespace` | The namespace for keys in the Redis store | `harbor.scanner.trivy:store` | -| `scanner.store.redisScanJobTTL` | The time to live for persisting scan jobs and associated scan reports | `1h` | -| `scanner.jobQueue.redisNamespace` | The namespace for keys in the scan jobs queue backed by Redis | `harbor.scanner.trivy:job-queue` | -| `scanner.jobQueue.workerConcurrency` | The number of workers to spin-up for a jobs queue | `1` | -| `scanner.redis.poolURL` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | -| `scanner.redis.poolMaxActive` | The max number of connections allocated by the Redis connection pool | `5` | -| `scanner.redis.poolMaxIdle` | The max number of idle connections in the Redis connection pool | `5` | -| `scanner.redis.poolIdleTimeout` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | `5m` | -| `scanner.redis.poolConnectionTimeout` | The timeout for connecting to the Redis server | `1s` | -| `scanner.redis.poolReadTimeout` | The timeout for reading a single Redis command reply | `1s` | -| `scanner.redis.poolWriteTimeout` | The timeout for writing a single Redis command | `1s` | -| `service.type` | Kubernetes service type | `ClusterIP` | -| `service.port` | Kubernetes service port | `8080` | -| `httpProxy` | The URL of the HTTP proxy server | | -| `httpsProxy` | The URL of the HTTPS proxy server | | -| `noProxy` | The URLs that the proxy settings do not apply to | | +| Parameter | Description | Default | +|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------| +| `image.registry` | Image registry | `docker.io` | +| `image.repository` | Image name | `aquasec/harbor-scanner-trivy` | +| `image.tag` | Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `replicaCount` | Number of scanner adapter Pods to run | `1` | +| `scanner.logLevel` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it | `info` | +| `scanner.api.tlsEnabled` | The flag to enable or disable TLS for HTTP | `true` | +| `scanner.api.tlsCertificate` | The absolute path to the x509 certificate file | | +| `scanner.api.tlsKey` | The absolute path to the x509 private key file | | +| `scanner.api.readTimeout` | The maximum duration for reading the entire request, including the body | `15s` | +| `scanner.api.writeTimeout` | The maximum duration before timing out writes of the response | `15s` | +| `scanner.api.idleTimeout` | The maximum amount of time to wait for the next request when keep-alives are enabled | `60s` | +| `scanner.trivy.cacheDir` | Trivy cache directory | `/home/scanner/.cache/trivy` | +| `scanner.trivy.reportsDir` | Trivy reports directory | `/home/scanner/.cache/reports` | +| `scanner.trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | +| `scanner.trivy.vulnType` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | `os,library` | +| `scanner.trivy.ignorepolicy` | The OPA rego script used by Trivy to evaluate each vulnerability | ` ` | +| `scanner.trivy.severity` | Comma-separated list of vulnerabilities severities to be displayed | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `scanner.trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | +| `scanner.trivy.skipJavaDBUpdate` | The flag to enable or disable Trivy Java DB downloads from GitHub | `false` | +| `scanner.trivy.dbRepository` | OCI repository(ies) to retrieve the trivy vulnerability database in order of priority | `mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db` | +| `scanner.trivy.javaDBRepository` | OCI repository(ies) to retrieve the Java trivy vulnerability database in order of priority | `mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db` | +| `scanner.trivy.offlineScan` | The flag to disable external API requests to identify dependencies | `false` | +| `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | +| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `scanner.store.redisNamespace` | The namespace for keys in the Redis store | `harbor.scanner.trivy:store` | +| `scanner.store.redisScanJobTTL` | The time to live for persisting scan jobs and associated scan reports | `1h` | +| `scanner.jobQueue.redisNamespace` | The namespace for keys in the scan jobs queue backed by Redis | `harbor.scanner.trivy:job-queue` | +| `scanner.jobQueue.workerConcurrency` | The number of workers to spin-up for a jobs queue | `1` | +| `scanner.redis.poolURL` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | | +| `scanner.redis.poolMaxActive` | The max number of connections allocated by the Redis connection pool | `5` | +| `scanner.redis.poolMaxIdle` | The max number of idle connections in the Redis connection pool | `5` | +| `scanner.redis.poolIdleTimeout` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | `5m` | +| `scanner.redis.poolConnectionTimeout` | The timeout for connecting to the Redis server | `1s` | +| `scanner.redis.poolReadTimeout` | The timeout for reading a single Redis command reply | `1s` | +| `scanner.redis.poolWriteTimeout` | The timeout for writing a single Redis command | `1s` | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.port` | Kubernetes service port | `8080` | +| `httpProxy` | The URL of the HTTP proxy server | | +| `httpsProxy` | The URL of the HTTPS proxy server | | +| `noProxy` | The URLs that the proxy settings do not apply to | | The above parameters map to the env variables defined in [harbor-scanner-trivy](https://github.com/aquasecurity/harbor-scanner-trivy#configuration). diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml index 636d22aa..ca708deb 100644 --- a/helm/harbor-scanner-trivy/templates/statefulset.yaml +++ b/helm/harbor-scanner-trivy/templates/statefulset.yaml @@ -78,9 +78,9 @@ spec: - name: "SCANNER_TRIVY_OFFLINE_SCAN" value: {{ .Values.scanner.trivy.offlineScan | quote }} - name: "SCANNER_TRIVY_DB_REPOSITORY" - value: {{ .Values.scanner.trivy.dbRepository | quote }} + value: {{ .Values.scanner.trivy.dbRepository | join \",\" | quote }} - name: "SCANNER_TRIVY_JAVA_DB_REPOSITORY" - value: {{ .Values.scanner.trivy.javaDBRepository | quote }} + value: {{ .Values.scanner.trivy.javaDBRepository | join \",\" | quote }} - name: "SCANNER_TRIVY_GITHUB_TOKEN" valueFrom: secretKeyRef: diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml index 7961e641..fe5787f3 100644 --- a/helm/harbor-scanner-trivy/values.yaml +++ b/helm/harbor-scanner-trivy/values.yaml @@ -74,14 +74,21 @@ scanner: ## If the flag is enabled you have to manually download the `trivy.db` file and mount it in the ## `/home/scanner/.cache/trivy/db/trivy.db` path (see `cacheDir`). skipUpdate: false - ## If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the ## `/home/scanner/.cache/trivy/java-db/trivy-java.db` path (see `cacheDir`). skipJavaDBUpdate: false - # OCI repository to retrieve the trivy vulnerability database from - dbRepository: "ghcr.io/aquasecurity/trivy-db" - # OCI repository to retrieve the Java trivy vulnerability database from - javaDBRepository: "ghcr.io/aquasecurity/trivy-java-db" + # The dbRepository and javaDBRepository flags can take multiple values, improving reliability when downloading databases. + # Databases are downloaded in priority order until one is successful. + # An attempt to download from the next repository is only made if a temporary error is received (e.g. status 429 or 5xx). + # + # OCI repository(ies) to retrieve the trivy vulnerability database in order of priority + dbRepository: + - "mirror.gcr.io/aquasec/trivy-db" + - "ghcr.io/aquasecurity/trivy-db" + # OCI repository(ies) to retrieve the Java trivy vulnerability database in order of priority + javaDBRepository: + - "mirror.gcr.io/aquasec/trivy-java-db" + - "ghcr.io/aquasecurity/trivy-java-db" # offlineScan the flag to disable external API requests to identify dependencies. offlineScan: false ## gitHubToken the GitHub access token to download Trivy DB diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 3a51cdcb..02022cce 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -34,8 +34,8 @@ type Trivy struct { IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` SkipDBUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` SkipJavaDBUpdate bool `env:"SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" envDefault:"false"` - DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"` - JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"` + DBRepository []string `env:"SCANNER_TRIVY_DB_REPOSITORY"` + JavaDBRepository []string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY"` OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"` diff --git a/pkg/etc/config_test.go b/pkg/etc/config_test.go index 04cfaf78..6fae4b2f 100644 --- a/pkg/etc/config_test.go +++ b/pkg/etc/config_test.go @@ -148,18 +148,20 @@ func TestGetConfig(t *testing.T) { "SCANNER_API_SERVER_WRITE_TIMEOUT": "2m", "SCANNER_API_SERVER_IDLE_TIMEOUT": "3m10s", - "SCANNER_TRIVY_CACHE_DIR": "/home/scanner/trivy-cache", - "SCANNER_TRIVY_REPORTS_DIR": "/home/scanner/trivy-reports", - "SCANNER_TRIVY_DEBUG_MODE": "true", - "SCANNER_TRIVY_VULN_TYPE": "os,library", - "SCANNER_TRIVY_SECURITY_CHECKS": "vuln", - "SCANNER_TRIVY_SEVERITY": "CRITICAL", - "SCANNER_TRIVY_IGNORE_UNFIXED": "true", - "SCANNER_TRIVY_INSECURE": "true", - "SCANNER_TRIVY_SKIP_UPDATE": "true", - "SCANNER_TRIVY_OFFLINE_SCAN": "true", - "SCANNER_TRIVY_GITHUB_TOKEN": "", - "SCANNER_TRIVY_TIMEOUT": "15m30s", + "SCANNER_TRIVY_CACHE_DIR": "/home/scanner/trivy-cache", + "SCANNER_TRIVY_REPORTS_DIR": "/home/scanner/trivy-reports", + "SCANNER_TRIVY_DEBUG_MODE": "true", + "SCANNER_TRIVY_VULN_TYPE": "os,library", + "SCANNER_TRIVY_SECURITY_CHECKS": "vuln", + "SCANNER_TRIVY_SEVERITY": "CRITICAL", + "SCANNER_TRIVY_IGNORE_UNFIXED": "true", + "SCANNER_TRIVY_INSECURE": "true", + "SCANNER_TRIVY_SKIP_UPDATE": "true", + "SCANNER_TRIVY_DB_REPOSITORY": "mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db", + "SCANNER_TRIVY_JAVA_DB_REPOSITORY": "mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db", + "SCANNER_TRIVY_OFFLINE_SCAN": "true", + "SCANNER_TRIVY_GITHUB_TOKEN": "", + "SCANNER_TRIVY_TIMEOUT": "15m30s", "SCANNER_STORE_REDIS_NAMESPACE": "store.ns", "SCANNER_STORE_REDIS_SCAN_JOB_TTL": "2h45m15s", @@ -197,6 +199,14 @@ func TestGetConfig(t *testing.T) { IgnoreUnfixed: true, SkipDBUpdate: true, SkipJavaDBUpdate: false, + DBRepository: []string{ + "mirror.gcr.io/aquasec/trivy-db", + "ghcr.io/aquasecurity/trivy-db", + }, + JavaDBRepository: []string{ + "mirror.gcr.io/aquasec/trivy-java-db", + "ghcr.io/aquasecurity/trivy-java-db", + }, OfflineScan: true, Insecure: true, GitHubToken: "", diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go index 565ec9d5..61fd0562 100644 --- a/pkg/trivy/wrapper.go +++ b/pkg/trivy/wrapper.go @@ -199,16 +199,16 @@ func (w *wrapper) prepareScanCmd(target ScanTarget, outputFile string, opt ScanO args = append(args, "--offline-scan") } - if w.config.IgnorePolicy != "" { - args = append(args, "--ignore-policy", w.config.IgnorePolicy) + if len(w.config.DBRepository) > 0 { + args = append(args, "--db-repository", strings.Join(w.config.DBRepository, ",")) } - if w.config.DBRepository != "" { - args = append(args, "--db-repository", w.config.DBRepository) + if len(w.config.JavaDBRepository) > 0 { + args = append(args, "--java-db-repository", strings.Join(w.config.JavaDBRepository, ",")) } - if w.config.JavaDBRepository != "" { - args = append(args, "--java-db-repository", w.config.JavaDBRepository) + if w.config.IgnorePolicy != "" { + args = append(args, "--ignore-policy", w.config.IgnorePolicy) } if w.config.DebugMode { diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go index b39acca0..1c1365ee 100644 --- a/pkg/trivy/wrapper_test.go +++ b/pkg/trivy/wrapper_test.go @@ -115,8 +115,8 @@ func TestWrapper_Scan(t *testing.T) { IgnorePolicy: "/home/scanner/opa/policy.rego", SkipDBUpdate: true, SkipJavaDBUpdate: true, - DBRepository: "ghcr.io/aquasecurity/trivy-db", - JavaDBRepository: "ghcr.io/aquasecurity/trivy-java-db", + DBRepository: []string{"mirror.gcr.io/aquasec/trivy-db", "ghcr.io/aquasecurity/trivy-db"}, + JavaDBRepository: []string{"mirror.gcr.io/aquasec/trivy-java-db", "ghcr.io/aquasecurity/trivy-java-db"}, GitHubToken: "", Insecure: true, Timeout: 5 * time.Minute, @@ -156,9 +156,9 @@ func TestWrapper_Scan(t *testing.T) { "--skip-db-update", "--skip-java-db-update", "--db-repository", - "ghcr.io/aquasecurity/trivy-db", + "mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db", "--java-db-repository", - "ghcr.io/aquasecurity/trivy-java-db", + "mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db", "--ignore-policy", "/home/scanner/opa/policy.rego", "--debug",