From 059fda870eb99b18df835404971e25063c81c7f5 Mon Sep 17 00:00:00 2001 From: Bertrand Goareguer <bertrand.goareguer@gmail.com> Date: Thu, 28 Mar 2024 16:34:18 +0000 Subject: [PATCH] feat(trivy): enable custom Trivy Java DB repository --- README.md | 2 +- kicker.json | 7 ++++++- templates/gitlab-ci-docker.yml | 9 +++++++-- 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b2a8058..c107fd1 100644 --- a/README.md +++ b/README.md @@ -404,7 +404,7 @@ It is bound to the `package-test` stage, and uses the following variables: | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis | _(none)_ | | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/) | `--ignore-unfixed --vuln-type os` | | `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) | - +| `trivy-java-db-repository` / `DOCKER_TRIVY_JAVA_DB_REPOSITORY` | OCI repository to retrieve Trivy Java Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-java-db:1`)_ | In addition to a textual report in the console, this job produces the following reports, kept for one day: diff --git a/kicker.json b/kicker.json index d23402f..78f79b4 100644 --- a/kicker.json +++ b/kicker.json @@ -198,7 +198,12 @@ }, { "name": "DOCKER_TRIVY_DB_REPOSITORY", - "description": "Custom OCI repository to retrieve Trivy Database from", + "description": "OCI repository to retrieve Trivy Database from", + "advanced": true + }, + { + "name": "DOCKER_TRIVY_JAVA_DB_REPOSITORY", + "description": "OCI repository to retrieve Trivy Java Database from", "advanced": true } ] diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml index 6c5802a..24ec874 100644 --- a/templates/gitlab-ci-docker.yml +++ b/templates/gitlab-ci-docker.yml @@ -173,6 +173,9 @@ spec: trivy-db-repository: description: Custom OCI repository to retrieve Trivy Database from default: '' + trivy-java-db-repository: + description: Custom Java DB repository path + default: '' sbom-disabled: description: Disable Software Bill of Materials type: boolean @@ -249,6 +252,7 @@ variables: DOCKER_TRIVY_IMAGE: $[[ inputs.trivy-image ]] DOCKER_TRIVY_ARGS: $[[ inputs.trivy-args ]] DOCKER_TRIVY_DB_REPOSITORY: $[[ inputs.trivy-db-repository ]] + DOCKER_TRIVY_JAVA_DB_REPOSITORY: $[[ inputs.trivy-java-db-repository ]] # SBOM genenration image and arguments DOCKER_SBOM_IMAGE: $[[ inputs.sbom-image ]] @@ -930,14 +934,15 @@ docker-trivy: mkdir -p ./reports if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" - trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} + trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} export trivy_opts="image" else log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}" export trivy_opts="image --server ${DOCKER_TRIVY_ADDR}" fi # Add common trivy arguments - export trivy_opts="${trivy_opts} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}" + # The Java DB is downloaded client-side in client/server mode (https://github.com/aquasecurity/trivy/issues/3560), so we need to specify the Java DB repository + export trivy_opts="${trivy_opts} ${DOCKER_TRIVY_JAVA_DB_REPOSITORY:+--java-db-repository $DOCKER_TRIVY_JAVA_DB_REPOSITORY} --no-progress --severity ${DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD} ${DOCKER_TRIVY_ARGS}" # GitLab format (no fail) trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $DOCKER_SNAPSHOT_IMAGE # JSON format (no fail) -- GitLab