Skip to content

Add support for multiple vulnerability database repositories#7

Open
benji78 wants to merge 1 commit intogoharbor:mainfrom
benji78:multi-db-repositories
Open

Add support for multiple vulnerability database repositories#7
benji78 wants to merge 1 commit intogoharbor:mainfrom
benji78:multi-db-repositories

Conversation

@benji78
Copy link

@benji78 benji78 commented Nov 17, 2024
edited
Loading

At the time of my previous pull request (#3), this scanner adapter only supported trivy v0.54.1. In trivy v0.56.0 support for multiple vulnerability database repositories was added.

Here is how it can be used:

    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-db,ghcr.io/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

I also added these to the config test and updated the wrapper test.

This also includes the same README fix as #6, updates the default repositories and adds some info to values.yaml.

I am just waiting for trivy to update the default registries to mark this PR as ready.

@benji78
feat: support multiple database repositories
f5d486f 
Signed-off-by: Benjamin Bordes <benjaminbordes78@gmail.com>
@benji78 benji78 marked this pull request as draft November 17, 2024 18:25
@benji78 benji78 mentioned this pull request Nov 17, 2024
Merged
@benji78 benji78 marked this pull request as ready for review November 18, 2024 09:53
benji78
benji78 commented Nov 18, 2024
View reviewed changes
pkg/etc/config.go
Comment on lines -37 to +38
DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"`
JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"`
DBRepository []string `env:"SCANNER_TRIVY_DB_REPOSITORY"`
JavaDBRepository []string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY"`
Copy link
Author

@benji78 benji78 Nov 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I hardcode the default repositories? I was thinking using trivy's default might be better but if they change in future the README documentations would be wrong

Copy link

@stgdns stgdns Nov 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

two days ago a new trivy version has been released: v0.57.1
The default URLs have changed:
aquasecurity/trivy#7679

Copy link
Author

@benji78 benji78 Nov 20, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is indeed what I am referring to and the reason why I waited before creating this PR (and had it as a draft) because I needed to update the documentation.

@stgdns stgdns mentioned this pull request Nov 20, 2024
Closed
@reasonerjt
Copy link

reasonerjt commented Dec 3, 2024

I intend to bump up the adapter to v0.32.1 consuming trivy v0.57.1

IMO this change is probably not needed for v0.32.1, thoughts? @benji78

reasonerjt
reasonerjt reviewed Dec 5, 2024
View reviewed changes
pkg/etc/config.go
SkipJavaDBUpdate bool `env:"SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" envDefault:"false"`
DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"`
JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"`
DBRepository []string `env:"SCANNER_TRIVY_DB_REPOSITORY"`
Copy link

@reasonerjt reasonerjt Dec 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It can remain as a string and we just document the value should be comma separated URIs?

Copy link
Author

@benji78 benji78 Dec 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could do that, but even though we are not changing or using the URIs separately right now, I believe it is clearer and more future proof to use an array of strings.
We could, for example, strip any spaces around the comma (may not be such a good practice though) or change from comma separated string to using one --db-repository or --java-db-repository per URI.

@benji78
Copy link
Author

benji78 commented Dec 5, 2024

Trivy v0.56.0 (and therefore also harbor-scanner-trivy v0.32.0) already supports multiple repositories, so bumping to trivy v0.57.1 will just update the database registry fallback (and other unrelated changes).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reasonerjt reasonerjt reasonerjt left review comments

+1 more reviewer

@stgdns stgdns stgdns left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@benji78 @reasonerjt @stgdns