improve how trivy db and java-db is handled (#979)

FairwindsOps · Nov 7, 2024 · 57e1d3f · 57e1d3f
1 parent 95ba385
commit 57e1d3f
Show file tree

Hide file tree

Showing 8 changed files with 34 additions and 8 deletions.
diff --git a/plugins/ci/CHANGELOG.md b/plugins/ci/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 5.7.10
+- fix trivy db / java-db downloading
+
 ## 5.7.9
 - bumped trivy to v0.57.0
 

diff --git a/plugins/ci/pkg/ci/trivy.go b/plugins/ci/pkg/ci/trivy.go
@@ -302,12 +302,21 @@ func scanImagesWithTrivy(images []trivymodels.Image, configurationObject models.
 	args := []string{
 		"image", "--download-db-only",
 		"--db-repository", "ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,docker.io/aquasec/trivy-db:2",
-		"--java-db-repository", "ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,docker.io/aquasec/trivy-java-db:1",
 	}
 	output, err := commands.ExecWithMessage(exec.Command("trivy", args...), "downloading trivy database")
 	if err != nil {
 		return nil, "", fmt.Errorf("unable to download trivy database, %v: %s", err, output)
 	}
+
+	args = []string{
+		"image", "--download-java-db-only",
+		"--java-db-repository", "ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,docker.io/aquasec/trivy-java-db:1",
+	}
+	output, err = commands.ExecWithMessage(exec.Command("trivy", args...), "downloading trivy java database")
+	if err != nil {
+		return nil, "", fmt.Errorf("unable to download trivy java database, %v: %s", err, output)
+	}
+
 	reportByRef := map[string]*trivymodels.TrivyResults{}
 	errorsByRef := map[string]*multierror.Error{}
 	for _, currentImage := range images {
@@ -454,9 +463,9 @@ func (ci *CIScan) SkipTrivyManifests() bool {
 // ScanImageFile will scan a single file with Trivy and return the results.
 func ScanImageFile(imagePath, imageID, tempDir, extraFlags string) (*trivymodels.TrivyResults, error) {
 	reportFile := tempDir + "/trivy-report-" + imageID + ".json"
-	cmd := exec.Command("trivy", "-d", "image", "--skip-update", "-f", "json", "-o", reportFile, "--input", imagePath)
+	cmd := exec.Command("trivy", "-d", "image", "--skip-db-update", "--skip-java-db-update", "-f", "json", "-o", reportFile, "--input", imagePath)
 	if extraFlags != "" {
-		cmd = exec.Command("trivy", "-d", "image", "--skip-update", extraFlags, "-f", "json", "-o", reportFile, "--input", imagePath)
+		cmd = exec.Command("trivy", "-d", "image", "--skip-db-update", "--skip-java-db-update", extraFlags, "-f", "json", "-o", reportFile, "--input", imagePath)
 	}
 	_, err := util.RunCommand(cmd, "scanning "+imageID)
 	if err != nil {

diff --git a/plugins/ci/version.txt b/plugins/ci/version.txt
@@ -1 +1 @@
-5.7.9
+5.7.10
diff --git a/plugins/trivy/CHANGELOG.md b/plugins/trivy/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Changelog
 
+## 0.31.2
+* fix trivy db / java-db cache
+
 ## 0.31.1
 * bumped trivy to 0.57.0
 

diff --git a/plugins/trivy/Dockerfile b/plugins/trivy/Dockerfile
@@ -37,7 +37,10 @@ COPY --from=downloader /usr/local/bin/trivy /usr/local/bin/trivy
 
 RUN TRIVY_CACHE_DIR=/var/tmp trivy image \ 
   --download-db-only \ 
-  --db-repository "ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db:2","docker.io/aquasec/trivy-db:2" \ 
+  --db-repository "ghcr.io/aquasecurity/trivy-db:2","public.ecr.aws/aquasecurity/trivy-db:2","docker.io/aquasec/trivy-db:2"
+
+RUN TRIVY_CACHE_DIR=/var/tmp trivy image \ 
+  --download-java-db-only \ 
   --java-db-repository "ghcr.io/aquasecurity/trivy-java-db:1","public.ecr.aws/aquasecurity/trivy-java-db:1","docker.io/aquasec/trivy-java-db:1"
 
 ENV CLOUDSDK_CONFIG=/tmp/gcloud

diff --git a/plugins/trivy/cmd/trivy/main.go b/plugins/trivy/cmd/trivy/main.go
@@ -40,12 +40,20 @@ func main() {
 		args := []string{
 			"image", "--download-db-only",
 			"--db-repository", "ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db:2,docker.io/aquasec/trivy-db:2",
-			"--java-db-repository", "ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,docker.io/aquasec/trivy-java-db:1",
 		}
 		_, err := util.RunCommand(exec.Command("trivy", args...), "downloading trivy database")
 		if err != nil {
 			logrus.Fatal(err)
 		}
+
+		args = []string{
+			"image", "--download-java-db-only",
+			"--java-db-repository", "ghcr.io/aquasecurity/trivy-java-db:1,public.ecr.aws/aquasecurity/trivy-java-db:1,docker.io/aquasec/trivy-java-db:1",
+		}
+		_, err = util.RunCommand(exec.Command("trivy", args...), "downloading trivy java database")
+		if err != nil {
+			logrus.Fatal(err)
+		}
 	}
 
 	host := os.Getenv("FAIRWINDS_INSIGHTS_HOST")

diff --git a/plugins/trivy/pkg/image/scan.go b/plugins/trivy/pkg/image/scan.go
@@ -155,7 +155,7 @@ func getOsArch(imageCfg models.TrivyImageConfig) string {
 func ScanImage(extraFlags, pullRef string, registryOAuth2AccessTokenMap map[string]string) (*models.TrivyResults, error) {
 	imageID := nonWordRegexp.ReplaceAllString(pullRef, "_")
 	reportFile := TempDir + "/trivy-report-" + imageID + ".json"
-	args := []string{"-d", "image", "--skip-update", "--security-checks", "vuln", "-f", "json", "-o", reportFile}
+	args := []string{"-d", "image", "--skip-db-update", "--skip-java-db-update", "--security-checks", "vuln", "-f", "json", "-o", reportFile}
 	if extraFlags != "" {
 		args = append(args, extraFlags)
 	}

diff --git a/plugins/trivy/version.txt b/plugins/trivy/version.txt
@@ -1 +1 @@
-0.31.1
+0.31.2