Skip to content
Snippets Groups Projects
Commit 357eec8e authored by Pierre Smeyers's avatar Pierre Smeyers
Browse files

Merge branch 'feat/use-trivy-variables' into 'master'

refactor(jib/trivy): enforce usage of Trivy environment variables

See merge request to-be-continuous/maven!100
parents 7345fa4d e62f19e9
No related branches found
No related tags found
No related merge requests found
...@@ -482,10 +482,16 @@ The template uses GitLab registries and authentication defaults. See the Docker ...@@ -482,10 +482,16 @@ The template uses GitLab registries and authentication defaults. See the Docker
| -------------------------------------- | ------------------------ | ------------------------------------------------- | | -------------------------------------- | ------------------------ | ------------------------------------------------- |
| `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` | | `sbom-image` / `MAVEN_SBOM_IMAGE` | The image used to perform and complete the Security Bill of Materials | `registry.hub.docker.com/anchore/syft:debug` |
| `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` | | `sbom-opts` / `MAVEN_SBOM_OPTS` | SBOM options to complete the Security Bill of Materials | `--override-default-catalogers rpm-db-cataloger,alpm-db-cataloger,apk-db-cataloger,dpkg-db-cataloger,portage-cataloger,nix-store-cataloger,java` |
| `trivy-security-level-threshold` / `MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD` | Security level which fails the `mvn-trivy` job | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` |
| `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` | | `trivy-image` / `MAVEN_TRIVY_IMAGE` | The image to perform container security scanning | `registry.hub.docker.com/aquasec/trivy:latest` |
| `trivy-args` / `MAVEN_TRIVY_ARGS` | Arguments for the execution of Trivy | `--ignore-unfixed --vuln-type os` | | `trivy-args` / `MAVEN_TRIVY_ARGS` | Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options) | `--ignore-unfixed --vuln-type os` |
Other Trivy parameters shall be configured using [Trivy environment variables](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options).
Examples:
* `TRIVY_SEVERITY`: severities of security issues to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)
* `TRIVY_SERVER`: server address (enables client/server mode)
* `TRIVY_DB_REPOSITORY`: OCI repository to retrieve Trivy Database from
* `TRIVY_JAVA_DB_REPOSITORY`: OCI repository to retrieve Trivy Java Database from
##### Jib build and publish configuration ##### Jib build and publish configuration
......
...@@ -217,7 +217,7 @@ ...@@ -217,7 +217,7 @@
{ {
"id": "mvn-trivy", "id": "mvn-trivy",
"name": "Maven Trivy", "name": "Maven Trivy",
"description": "[Trivy](https://github.com/aquasecurity/trivy) vulnerability analysis", "description": "[Trivy](https://aquasecurity.github.io/trivy) vulnerability analysis",
"disable_with": "MAVEN_TRIVY_DISABLED", "disable_with": "MAVEN_TRIVY_DISABLED",
"variables": [ "variables": [
{ {
...@@ -226,27 +226,9 @@ ...@@ -226,27 +226,9 @@
"default": "registry.hub.docker.com/aquasec/trivy:latest", "default": "registry.hub.docker.com/aquasec/trivy:latest",
"advanced": true "advanced": true
}, },
{
"name": "MAVEN_TRIVY_ADDR",
"type": "url",
"description": "The Trivy server address"
},
{
"name": "MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD",
"type": "enum",
"values": [
"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL",
"LOW,MEDIUM,HIGH,CRITICAL",
"MEDIUM,HIGH,CRITICAL",
"HIGH,CRITICAL",
"CRITICAL"
],
"description": "Severities of vulnerabilities to be displayed (comma separated values: `UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)",
"default": "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
},
{ {
"name": "MAVEN_TRIVY_ARGS", "name": "MAVEN_TRIVY_ARGS",
"description": "Additional `trivy client` arguments", "description": "Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)",
"default": "--ignore-unfixed --vuln-type os", "default": "--ignore-unfixed --vuln-type os",
"advanced": true "advanced": true
} }
......
...@@ -32,21 +32,8 @@ spec: ...@@ -32,21 +32,8 @@ spec:
trivy-image: trivy-image:
description: The docker image used to scan images with Trivy description: The docker image used to scan images with Trivy
default: registry.hub.docker.com/aquasec/trivy:latest default: registry.hub.docker.com/aquasec/trivy:latest
trivy-addr:
description: The Trivy server address
default: ''
trivy-security-level-threshold:
description: 'Severities of vulnerabilities to be displayed (comma separated values:
`UNKNOWN`, `LOW`, `MEDIUM`, `HIGH`, `CRITICAL`)'
options:
- UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
- LOW,MEDIUM,HIGH,CRITICAL
- MEDIUM,HIGH,CRITICAL
- HIGH,CRITICAL
- CRITICAL
default: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL
trivy-args: trivy-args:
description: Additional `trivy client` arguments description: Additional [`trivy image` options](https://aquasecurity.github.io/trivy/latest/docs/references/configuration/cli/trivy_image/#options)
default: --ignore-unfixed --vuln-type os default: --ignore-unfixed --vuln-type os
sbom-image: sbom-image:
default: registry.hub.docker.com/anchore/syft:debug default: registry.hub.docker.com/anchore/syft:debug
...@@ -57,8 +44,8 @@ spec: ...@@ -57,8 +44,8 @@ spec:
variables: variables:
MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]] MAVEN_SBOM_IMAGE: $[[ inputs.sbom-image ]]
MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]] MAVEN_SBOM_OPTS: $[[ inputs.sbom-opts ]]
MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: $[[ inputs.trivy-security-level-threshold ]]
MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]] MAVEN_TRIVY_IMAGE: $[[ inputs.trivy-image ]]
MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]] MAVEN_TRIVY_ARGS: $[[ inputs.trivy-args ]]
MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]] MAVEN_JIB_SNAPSHOT_IMAGE: $[[ inputs.jib-snapshot-image ]]
MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]] MAVEN_JIB_RELEASE_IMAGE: $[[ inputs.jib-release-image ]]
...@@ -66,8 +53,6 @@ variables: ...@@ -66,8 +53,6 @@ variables:
MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]] MAVEN_JIB_PROD_PUBLISH_STRATEGY: $[[ inputs.jib-prod-publish-strategy ]]
MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]] MAVEN_SKOPEO_IMAGE: $[[ inputs.skopeo-image ]]
MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]] MAVEN_JIB_PUBLISH_ARGS: $[[ inputs.jib-publish-args ]]
MAVEN_TRIVY_DISABLED: $[[ inputs.trivy-disabled ]]
MAVEN_TRIVY_ADDR: $[[ inputs.trivy-addr ]]
.mvn-jib-scripts: &mvn-jib-scripts | .mvn-jib-scripts: &mvn-jib-scripts |
# BEGSCRIPT # BEGSCRIPT
...@@ -164,25 +149,19 @@ mvn-trivy: ...@@ -164,25 +149,19 @@ mvn-trivy:
export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}} export TRIVY_PASSWORD=${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}
export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g') export basename=$(echo "${MAVEN_JIB_SNAPSHOT_IMAGE}" | sed 's|[/:]|_|g')
mkdir -p ./reports mkdir -p ./reports
if [[ -z "${MAVEN_TRIVY_ADDR}" ]]; then if [[ -z "$TRIVY_SERVER" ]]; then
log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the MAVEN_TRIVY_ADDR variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m" log_warn "\\e[93mYou are using Trivy in standalone mode. To get faster scans, consider setting the TRIVY_SERVER variable to the address of a Trivy server. More info here: https://aquasecurity.github.io/trivy/latest/docs/references/modes/client-server/\\e[0m"
trivy image --download-db-only
export trivy_opts="image"
else
log_info "You are using Trivy in client/server mode with the following server: ${MAVEN_TRIVY_ADDR}"
export trivy_opts="image --server ${MAVEN_TRIVY_ADDR}"
fi fi
# Add common trivy arguments # Generate the native JSON report that can later be converted to other formats
export trivy_opts="${trivy_opts} --no-progress --severity ${MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD} ${MAVEN_TRIVY_ARGS}" trivy image --no-progress ${MAVEN_TRIVY_ARGS} --exit-code 1 --format json --output reports/jib-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE || exit_code=$?
# GitLab format (no fail)
trivy ${trivy_opts} --format template --exit-code 0 --template "@/contrib/gitlab.tpl" --output reports/docker-trivy-${basename}.gitlab.json $MAVEN_JIB_SNAPSHOT_IMAGE # Generate a report in the GitLab format
# JSON format (no fail) trivy convert --format template --template "@/contrib/gitlab.tpl" --output reports/jib-trivy-${basename}.gitlab.json reports/jib-trivy-${basename}.native.json
if [[ "$DEFECTDOJO_TRIVY_REPORTS" ]]
then # console output
trivy ${trivy_opts} --format json --exit-code 0 --output reports/docker-trivy-${basename}.native.json $MAVEN_JIB_SNAPSHOT_IMAGE trivy convert --format table reports/jib-trivy-${basename}.native.json
fi
# console output (fail) exit $exit_code
trivy ${trivy_opts} --format table --exit-code 1 $MAVEN_JIB_SNAPSHOT_IMAGE
artifacts: artifacts:
name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG" name: "$CI_JOB_NAME artifacts from $CI_PROJECT_NAME on $CI_COMMIT_REF_SLUG"
expire_in: 1 day expire_in: 1 day
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment