From 5c185c85eaa6114aec896bab4e992dbd3b13ad36 Mon Sep 17 00:00:00 2001
From: Pierre Smeyers <pierre.smeyers@gmail.com>
Date: Sat, 30 Mar 2024 12:06:25 +0100
Subject: [PATCH] refactor(Trivy): conditional use of --db-repository option

* conditional use of --db-repository option with Bash variable expansion
* rephrase DOCKER_TRIVY_DB_REPOSITORY doc to match Trivy help
---
 README.md                      | 2 +-
 kicker.json                    | 2 +-
 templates/gitlab-ci-docker.yml | 8 ++------
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/README.md b/README.md
index 41e026a..b2a8058 100644
--- a/README.md
+++ b/README.md
@@ -403,7 +403,7 @@ It is bound to the `package-test` stage, and uses the following variables:
 | `trivy-security-level-threshold` / `DOCKER_TRIVY_SECURITY_LEVEL_THRESHOLD` | Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`) | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL`  |
 | `trivy-disabled` / `DOCKER_TRIVY_DISABLED` | Set to `true` to disable Trivy analysis          | _(none)_ |
 | `trivy-args` / `DOCKER_TRIVY_ARGS` | Additional [`trivy client` arguments](https://aquasecurity.github.io/trivy/v0.27.1/docs/references/cli/client/)  | `--ignore-unfixed --vuln-type os` |
-| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | Set a custom DB repository path for downloading the trivy database  | _(none: default "ghcr.io/aquasecurity/trivy-db")_ |
+| `trivy-db-repository` / `DOCKER_TRIVY_DB_REPOSITORY` | OCI repository to retrieve Trivy Database from | _none_ (use Trivy default `ghcr.io/aquasecurity/trivy-db`) |
 
 
 In addition to a textual report in the console, this job produces the following reports, kept for one day:
diff --git a/kicker.json b/kicker.json
index a17e890..d23402f 100644
--- a/kicker.json
+++ b/kicker.json
@@ -198,7 +198,7 @@
         },
         {
           "name": "DOCKER_TRIVY_DB_REPOSITORY",
-          "description": "Custom DB repository path",
+          "description": "Custom OCI repository to retrieve Trivy Database from",
           "advanced": true
         }
       ]
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index 61699d8..6c5802a 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -171,7 +171,7 @@ spec:
       description: Additional `trivy client` arguments
       default: --ignore-unfixed --vuln-type os --exit-on-eol 1
     trivy-db-repository:
-      description: Custom DB repository path 
+      description: Custom OCI repository to retrieve Trivy Database from
       default: ''
     sbom-disabled:
       description: Disable Software Bill of Materials
@@ -930,11 +930,7 @@ docker-trivy:
     mkdir -p ./reports
     if [[ -z "${DOCKER_TRIVY_ADDR}" ]]; then
       log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the DOCKER_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
-      if [[ -z "${DOCKER_TRIVY_DB_REPOSITORY}" ]]; then
-        trivy image --download-db-only
-      else
-        trivy image --download-db-only --db-repository ${DOCKER_TRIVY_DB_REPOSITORY}
-      fi
+      trivy image --download-db-only ${DOCKER_TRIVY_DB_REPOSITORY:+--db-repository $DOCKER_TRIVY_DB_REPOSITORY}
       export trivy_opts="image"
     else
       log_info "You are using Trivy in client/server mode with the following server: ${DOCKER_TRIVY_ADDR}"
-- 
GitLab