From e7bfe45dbe07f925ad691042c8ce5b652fe1864c Mon Sep 17 00:00:00 2001 From: Sylvain Boily <4981802+djsly@users.noreply.github.com> Date: Tue, 5 Nov 2024 07:49:21 -0500 Subject: [PATCH 1/2] adding Trivy DB fallbacks --- vhdbuilder/packer/trivy-scan.sh | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh index 16e046aea80..5aaed6d6468 100644 --- a/vhdbuilder/packer/trivy-scan.sh +++ b/vhdbuilder/packer/trivy-scan.sh @@ -4,6 +4,7 @@ set -euxo pipefail TRIVY_REPORT_DIRNAME=/opt/azure/containers TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt +TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db" TRIVY_VERSION="0.53.0" TRIVY_ARCH="" @@ -129,7 +130,7 @@ chmod a+x ${MODULE_NAME} export PATH="$(pwd):$PATH" # we do a delayed retry here since it's possible we'll get rate-limited by ghcr.io, which hosts the vulnerability DB -retrycmd_if_failure 10 30 600 ./trivy --scanners vuln rootfs -f json --skip-dirs /var/lib/containerd --ignore-unfixed --severity ${SEVERITY} -o "${TRIVY_REPORT_ROOTFS_JSON_PATH}" / +retrycmd_if_failure 10 30 600 ./trivy --scanners vuln rootfs -f json --db-repository ${TRIVY_DB_REPOSITORIES} --skip-dirs /var/lib/containerd --ignore-unfixed --severity ${SEVERITY} -o "${TRIVY_REPORT_ROOTFS_JSON_PATH}" / if [[ -f ${TRIVY_REPORT_ROOTFS_JSON_PATH} ]]; then ./vuln-to-kusto-vhd scan-report \ @@ -152,12 +153,12 @@ Note: images without CVEs are also listed" >> "${TRIVY_REPORT_IMAGE_TABLE_PATH}" for CONTAINER_IMAGE in $IMAGE_LIST; do # append to table - ./trivy --scanners vuln image --ignore-unfixed --severity ${SEVERITY} --skip-db-update -f table ${CONTAINER_IMAGE} >> ${TRIVY_REPORT_IMAGE_TABLE_PATH} || true + ./trivy --scanners vuln image --ignore-unfixed --severity ${SEVERITY} --db-repository ${TRIVY_DB_REPOSITORIES} --skip-db-update -f table ${CONTAINER_IMAGE} >> ${TRIVY_REPORT_IMAGE_TABLE_PATH} || true # export to Kusto, one by one BASE_CONTAINER_IMAGE=$(basename ${CONTAINER_IMAGE}) TRIVY_REPORT_IMAGE_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-image-${BASE_CONTAINER_IMAGE}.json - ./trivy --scanners vuln image -f json --ignore-unfixed --severity ${SEVERITY} --skip-db-update -o ${TRIVY_REPORT_IMAGE_JSON_PATH} $CONTAINER_IMAGE || true + ./trivy --scanners vuln image -f json --ignore-unfixed --severity ${SEVERITY} --db-repository ${TRIVY_DB_REPOSITORIES} --skip-db-update -o ${TRIVY_REPORT_IMAGE_JSON_PATH} $CONTAINER_IMAGE || true if [[ -f ${TRIVY_REPORT_IMAGE_JSON_PATH} ]]; then ./vuln-to-kusto-vhd scan-report \ From bcb3d3e4ce3a07e3a38f0bd732f30cbb416c637d Mon Sep 17 00:00:00 2001 From: Sylvain Boily <4981802+djsly@users.noreply.github.com> Date: Tue, 5 Nov 2024 08:09:12 -0500 Subject: [PATCH 2/2] bumping trivy version for db fallback support --- vhdbuilder/packer/trivy-scan.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vhdbuilder/packer/trivy-scan.sh b/vhdbuilder/packer/trivy-scan.sh index 5aaed6d6468..4b9b655752f 100644 --- a/vhdbuilder/packer/trivy-scan.sh +++ b/vhdbuilder/packer/trivy-scan.sh @@ -6,7 +6,7 @@ TRIVY_REPORT_ROOTFS_JSON_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-rootfs.json TRIVY_REPORT_IMAGE_TABLE_PATH=${TRIVY_REPORT_DIRNAME}/trivy-report-images-table.txt TRIVY_DB_REPOSITORIES="mcr.microsoft.com/mirror/ghcr/aquasecurity/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2,public.ecr.aws/aquasecurity/trivy-db" -TRIVY_VERSION="0.53.0" +TRIVY_VERSION="0.57.0" TRIVY_ARCH="" MODULE_NAME="vuln-to-kusto-vhd"