ghcr rate limit for Trivy - overriding DB repositories

[marevers]

Since a few weeks we are also running into the rate limit for ghcr.io when the Trivy scanners are trying to download the vulnerability DB. A suggested solution on the Trivy side is to override the DB image repositories to ECR which should help with the rate limiting.

I have added the following environment variables in the chart:

...
    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-java-db
...

The environment variables are correctly applied to the container, but it is still trying to download the DB from ghcr.io resulting in the rate limit / TOOMANYREQUESTS error.

Are these environment variables actually supported by the trivy-adapter-photon container? We are running the chart version 1.15.1 with trivy-adapter-photon:v2.11.1 as per the default values.

[EdKingscote]

https://github.com/goharbor/harbor/pull/21015/files - this has been tagged to exclude from release notes for some reason, but hopefully it made it to v2.12.0 as this mitigation is much needed.

[reasonerjt]

@marevers

The change is only available on trivy adapter v0.32.0:
https://github.com/goharbor/harbor-scanner-trivy/releases/tag/v0.32.0
It is shipped with Harbor v2.12.0

Let me know if it works.

[marevers]

@reasonerjt thanks. While Harbor v2.12.0 is out it seems the helm chart was not yet updated for this release. The last release of the chart was back in August. A new chart version would need to be released first before I can upgrade.

Meanwhile I've also attempted to change just the Trivy version through trivy.image.tag to that version, but this causes incompatibility issues.

[reasonerjt]

Meanwhile I've also attempted to change just the Trivy version through trivy.image.tag to that version, but this causes incompatibility issues.

What issues did you see?

I don't maintain the helm chart but this PR seems relevant:
goharbor/harbor-helm#1857
You may apply the change to your chart and try again?

At this moment, I don't think I can provide a date for the helm chart release.

[marevers]

@reasonerjt Interestingly enough, on another attempt with as far as I can tell the same parameters, I've gotten past the problem.

Chart values for Trivy used:

...
    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: public.ecr.aws/aquasecurity/trivy-java-db
      image:
        tag: v2.12.0
...

The compatibility error is no longer there. Unfortunately I cannot replicate it anymore so I cannot tell you what the exact error message was.

[benji78]

The tag should not mention the harbor version (v2.12.0) (or trivy (v0.56) for that matter) but the harbor-scanner-trivy version (v0.32.0).

@marevers This may also be the source of your errors.

[marevers]

@benji78 I don't think that is correct - I tried that but it doesn't work.

The Harbor helm chart does not deploy harbor-scanner-trivy but rather a component called trivy-adapter-photon. This seems to follow the versioning of Harbor itself, meaning, the latest version is currently v2.12.0.

[benji78]

You are correct, since aquasecurity/harbor-scanner-trivy moved to goharbor/harbor-scanner-trivy replacing goharbor/trivy-adapter-photon I thought the container registry would also move but apparently not. Also, I am guessing 2.12 is not photon based anymore but now uses Alpine which is even more confusing considering the container registry literally has photon in it's name.
Also having 3 different versions of trivy is confusing: trivy v0.56.1 > harbor-scanner-trivy v0.32.0 > container image v2.12.0