From 96bd7ac59452160a02adab1c7d43e3e6d9b639ba Mon Sep 17 00:00:00 2001 From: DmitriyLewen <91113035+DmitriyLewen@users.noreply.github.com> Date: Mon, 11 Mar 2024 12:57:56 +0600 Subject: [PATCH] fix(db): use schema version as tag only for `trivy-db` and `trivy-java-db` registries by default (#6219) --- docs/docs/configuration/db.md | 14 ++++++++++++-- .../configuration/cli/trivy_filesystem.md | 4 ++-- .../references/configuration/cli/trivy_image.md | 4 ++-- .../configuration/cli/trivy_kubernetes.md | 4 ++-- .../configuration/cli/trivy_repository.md | 4 ++-- .../references/configuration/cli/trivy_rootfs.md | 4 ++-- .../references/configuration/cli/trivy_sbom.md | 4 ++-- .../references/configuration/cli/trivy_server.md | 2 +- docs/docs/references/configuration/cli/trivy_vm.md | 4 ++-- pkg/db/db.go | 10 ++++++++-- pkg/flag/db_flags.go | 4 ++-- pkg/javadb/client.go | 8 +++++++- 12 files changed, 44 insertions(+), 22 deletions(-) diff --git a/docs/docs/configuration/db.md b/docs/docs/configuration/db.md index 562356484ae3..1479a79183a1 100644 --- a/docs/docs/configuration/db.md +++ b/docs/docs/configuration/db.md @@ -54,18 +54,28 @@ $ trivy image --download-db-only $ trivy image --db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-db ``` +!!!note + Trivy automatically adds the `trivy-db` schema version as a tag if the tag is not used: + + `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`. + ## Java Index Database The same options are also available for the Java index DB, which is used for scanning Java applications. Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB. +!!! Note + In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side. + Downloading the Java index DB from an external OCI registry can be done by using the `--java-db-repository` option. ``` $ trivy image --java-db-repository registry.gitlab.com/gitlab-org/security-products/dependencies/trivy-java-db --download-java-db-only ``` -!!! Note - In [Client/Server](../references/modes/client-server.md) mode, `Java index DB` is currently only used on the `client` side. +!!!note + Trivy automatically adds the `trivy-java-db` schema version as a tag if the tag is not used: + + `java-db-registry:latest` => `java-db-registry:latest`, but `java-db-registry` => `java-db-registry:1`. ## Remove DBs The `--reset` flag removes all caches and databases. diff --git a/docs/docs/references/configuration/cli/trivy_filesystem.md b/docs/docs/references/configuration/cli/trivy_filesystem.md index 9a7a8fe24bb2..e26b26df7bfd 100644 --- a/docs/docs/references/configuration/cli/trivy_filesystem.md +++ b/docs/docs/references/configuration/cli/trivy_filesystem.md @@ -27,7 +27,7 @@ trivy filesystem [flags] PATH --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan @@ -47,7 +47,7 @@ trivy filesystem [flags] PATH --ignorefile string specify .trivyignore file (default ".trivyignore") --include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-non-failures include successes and exceptions, available with '--scanners misconfig' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability diff --git a/docs/docs/references/configuration/cli/trivy_image.md b/docs/docs/references/configuration/cli/trivy_image.md index ebf36a4140d3..20be9b459413 100644 --- a/docs/docs/references/configuration/cli/trivy_image.md +++ b/docs/docs/references/configuration/cli/trivy_image.md @@ -41,7 +41,7 @@ trivy image [flags] IMAGE_NAME --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --docker-host string unix domain socket path to use for docker scanning --download-db-only download/update vulnerability database but don't run a scan @@ -65,7 +65,7 @@ trivy image [flags] IMAGE_NAME --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) --include-non-failures include successes and exceptions, available with '--scanners misconfig' --input string input file path instead of image name - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability diff --git a/docs/docs/references/configuration/cli/trivy_kubernetes.md b/docs/docs/references/configuration/cli/trivy_kubernetes.md index 0b4ff3cf02d0..ed22d8299f5b 100644 --- a/docs/docs/references/configuration/cli/trivy_kubernetes.md +++ b/docs/docs/references/configuration/cli/trivy_kubernetes.md @@ -37,7 +37,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --context string specify a context to scan - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan @@ -57,7 +57,7 @@ trivy kubernetes [flags] { cluster | all | specific resources like kubectl. eg: --ignorefile string specify .trivyignore file (default ".trivyignore") --image-src strings image source(s) to use, in priority order (docker,containerd,podman,remote) (default [docker,containerd,podman,remote]) --include-non-failures include successes and exceptions, available with '--scanners misconfig' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --kubeconfig string specify the kubeconfig file path to use --list-all-pkgs enabling the option will output all packages regardless of vulnerability diff --git a/docs/docs/references/configuration/cli/trivy_repository.md b/docs/docs/references/configuration/cli/trivy_repository.md index de211fca43a2..0a2a614e4a5b 100644 --- a/docs/docs/references/configuration/cli/trivy_repository.md +++ b/docs/docs/references/configuration/cli/trivy_repository.md @@ -27,7 +27,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan @@ -47,7 +47,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL) --ignorefile string specify .trivyignore file (default ".trivyignore") --include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-non-failures include successes and exceptions, available with '--scanners misconfig' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability diff --git a/docs/docs/references/configuration/cli/trivy_rootfs.md b/docs/docs/references/configuration/cli/trivy_rootfs.md index fc5b6d9240ca..571fb009f4f0 100644 --- a/docs/docs/references/configuration/cli/trivy_rootfs.md +++ b/docs/docs/references/configuration/cli/trivy_rootfs.md @@ -29,7 +29,7 @@ trivy rootfs [flags] ROOTDIR --config-data strings specify paths from which data for the Rego policies will be recursively loaded --config-policy strings specify the paths to the Rego policy files or to the directories containing them, applying config files --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan @@ -49,7 +49,7 @@ trivy rootfs [flags] ROOTDIR --ignored-licenses strings specify a list of license to ignore --ignorefile string specify .trivyignore file (default ".trivyignore") --include-non-failures include successes and exceptions, available with '--scanners misconfig' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --license-confidence-level float specify license classifier's confidence level (default 0.9) --license-full eagerly look for licenses in source code headers and license files --list-all-pkgs enabling the option will output all packages regardless of vulnerability diff --git a/docs/docs/references/configuration/cli/trivy_sbom.md b/docs/docs/references/configuration/cli/trivy_sbom.md index 04e024f5e656..f30144c34e9d 100644 --- a/docs/docs/references/configuration/cli/trivy_sbom.md +++ b/docs/docs/references/configuration/cli/trivy_sbom.md @@ -25,7 +25,7 @@ trivy sbom [flags] SBOM_PATH --clear-cache clear image caches without scanning --compliance string compliance report to generate --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan --exit-code int specify exit code when any security issues are found @@ -37,7 +37,7 @@ trivy sbom [flags] SBOM_PATH --ignore-status strings comma-separated list of vulnerability status to ignore (unknown,not_affected,affected,fixed,under_investigation,will_not_fix,fix_deferred,end_of_life) --ignore-unfixed display only fixed vulnerabilities --ignorefile string specify .trivyignore file (default ".trivyignore") - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --list-all-pkgs enabling the option will output all packages regardless of vulnerability --no-progress suppress progress bar --offline-scan do not issue API requests to identify dependencies diff --git a/docs/docs/references/configuration/cli/trivy_server.md b/docs/docs/references/configuration/cli/trivy_server.md index d53bd574a85a..d888034c34bf 100644 --- a/docs/docs/references/configuration/cli/trivy_server.md +++ b/docs/docs/references/configuration/cli/trivy_server.md @@ -23,7 +23,7 @@ trivy server [flags] --cache-backend string cache backend (e.g. redis://localhost:6379) (default "fs") --cache-ttl duration cache TTL when using redis as cache backend --clear-cache clear image caches without scanning - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --download-db-only download/update vulnerability database but don't run a scan --enable-modules strings [EXPERIMENTAL] module names to enable -h, --help help for server diff --git a/docs/docs/references/configuration/cli/trivy_vm.md b/docs/docs/references/configuration/cli/trivy_vm.md index 282c96ea3b11..6acf6606284b 100644 --- a/docs/docs/references/configuration/cli/trivy_vm.md +++ b/docs/docs/references/configuration/cli/trivy_vm.md @@ -26,7 +26,7 @@ trivy vm [flags] VM_IMAGE --clear-cache clear image caches without scanning --compliance string compliance report to generate --custom-headers strings custom headers in client mode - --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db") + --db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db:2") --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --download-db-only download/update vulnerability database but don't run a scan --download-java-db-only download/update Java index database but don't run a scan @@ -45,7 +45,7 @@ trivy vm [flags] VM_IMAGE --ignore-unfixed display only fixed vulnerabilities --ignorefile string specify .trivyignore file (default ".trivyignore") --include-non-failures include successes and exceptions, available with '--scanners misconfig' - --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db") + --java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db:1") --list-all-pkgs enabling the option will output all packages regardless of vulnerability --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") diff --git a/pkg/db/db.go b/pkg/db/db.go index f5502f5828a0..fddd3393ea70 100644 --- a/pkg/db/db.go +++ b/pkg/db/db.go @@ -4,6 +4,7 @@ import ( "context" "errors" "fmt" + "strings" "time" "github.com/google/go-containerregistry/pkg/v1/remote/transport" @@ -78,6 +79,12 @@ func NewClient(cacheDir string, quiet bool, opts ...Option) *Client { opt(o) } + // Add the schema version as a tag if the tag doesn't exist. + // This is required for backward compatibility. + if !strings.Contains(o.dbRepository, ":") { + o.dbRepository = fmt.Sprintf("%s:%d", o.dbRepository, db.SchemaVersion) + } + return &Client{ options: o, cacheDir: cacheDir, @@ -188,8 +195,7 @@ func (c *Client) initOCIArtifact(opt types.RegistryOptions) (*oci.Artifact, erro return c.artifact, nil } - repo := fmt.Sprintf("%s:%d", c.dbRepository, db.SchemaVersion) - art, err := oci.NewArtifact(repo, c.quiet, opt) + art, err := oci.NewArtifact(c.dbRepository, c.quiet, opt) if err != nil { var terr *transport.Error if errors.As(err, &terr) { diff --git a/pkg/flag/db_flags.go b/pkg/flag/db_flags.go index 23fb42a72bec..7e018e865a77 100644 --- a/pkg/flag/db_flags.go +++ b/pkg/flag/db_flags.go @@ -6,8 +6,8 @@ import ( "github.com/aquasecurity/trivy/pkg/log" ) -const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db" -const defaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db" +const defaultDBRepository = "ghcr.io/aquasecurity/trivy-db:2" +const defaultJavaDBRepository = "ghcr.io/aquasecurity/trivy-java-db:1" var ( ResetFlag = Flag[bool]{ diff --git a/pkg/javadb/client.go b/pkg/javadb/client.go index 8c8e042ef7fe..faa110a8460a 100644 --- a/pkg/javadb/client.go +++ b/pkg/javadb/client.go @@ -7,6 +7,7 @@ import ( "os" "path/filepath" "sort" + "strings" "sync" "time" @@ -82,8 +83,13 @@ func (u *Updater) Update() error { } func Init(cacheDir, javaDBRepository string, skip, quiet bool, registryOption ftypes.RegistryOptions) { + // Add the schema version as a tag if the tag doesn't exist. + // This is required for backward compatibility. + if !strings.Contains(javaDBRepository, ":") { + javaDBRepository = fmt.Sprintf("%s:%d", javaDBRepository, db.SchemaVersion) + } updater = &Updater{ - repo: fmt.Sprintf("%s:%d", javaDBRepository, db.SchemaVersion), + repo: javaDBRepository, dbDir: filepath.Join(cacheDir, "java-db"), skip: skip, quiet: quiet,