diff --git a/README.md b/README.md
index b2a8058d2dc6e35895f170224631cd10653e6d4b..c107fd16522fd5788eb63a5b3295558501016424 100644
--- a/README.md
+++ b/README.md
@@ -404,7 +404,7 @@ It is bound to the `package-test` stage, and uses the following variables:
| `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ |
| `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` |
| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
-
+| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ |
In addition to a textual report in the console, this job produces the following reports, kept for one day:
diff --git a/kicker.json b/kicker.json
index d23402f49b4c26126d9994d827f3a64018946abc..78f79b4984a37499f1c9af09c02a731a49fc6e4a 100644
--- a/kicker.json
+++ b/kicker.json
@@ -198,7 +198,12 @@
},
{
"name": "DOCKER_TRIVY_DB_REPOSITORY",
- "description": "Custom OCI repository to retrieve Trivy Database from",
+ "description": "OCI repository to retrieve Trivy Database from",
+ "advanced": true
+ },
+ {
+ "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY",
+ "description": "OCI repository to retrieve Trivy Java Database from",
"advanced": true
}
]
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 6c5802ac5a113e2c8fc163df2e66716674673b53..24ec874374612f8b17435925d025d430a84f71b9 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -173,6 +173,9 @@ spec:
trivy-db-repository:
description: Custom OCI repository to retrieve Trivy Database from
default: ''
+ trivy-java-db-repository:
+ description: Custom Java DB repository path
+ default: ''
sbom-disabled:
description: Disable Software Bill of Materials
type: boolean
@@ -249,6 +252,7 @@ variables:
DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]]
DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]]
+ DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]]
# SBOM genenration image and arguments
DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]]
@@ -930,14 +934,15 @@ docker-trivy:
mkdir -p ./reports
if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
- trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY}
+ trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY}
export trivy_opts="image"
else
log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}"
fi
# Add common trivy arguments
- export trivy_opts="${trivy_opts} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
+ # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository
+ export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}"
# GitLab format (no fail)
trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE
# JSON format (no fail)