feat: Flag for changing default cache-dir parameter (aquasecurity#1604)

* add cacheDir image scan option * add cacheDir filesystem scan option
cnwaldron · Nov 2, 2023 · 80dd3a8 · 80dd3a8
1 parent 957f05a
commit 80dd3a8
Show file tree

Hide file tree

Showing 8 changed files with 123 additions and 7 deletions.
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -102,6 +102,7 @@ Keeps security report resources updated
 | trivy.dbRepository | string | `"aquasecurity/trivy-db"` |  |
 | trivy.dbRepositoryInsecure | string | `"false"` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)  |
 | trivy.debug | bool | `false` | debug One of `true` or `false`. Enables debug mode. |
+| trivy.filesystemScanCacheDir | string | `"/var/trivyoperator/trivy-db"` | filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter. Only applicable in filesystem scan mode. |
 | trivy.githubToken | string | `nil` | githubToken is the GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode. |
 | trivy.httpProxy | string | `nil` | httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. |
 | trivy.httpsProxy | string | `nil` | httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. |
@@ -112,6 +113,7 @@ Keeps security report resources updated
 | trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image |
 | trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image |
 | trivy.image.tag | string | `"0.45.1"` | tag version of the Trivy image |
+| trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. |
 | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. |
 | trivy.javaDbRegistry | string | `"ghcr.io"` | javaDbRegistry is the registry for the Java vulnerability database. |
 | trivy.javaDbRepository | string | `"aquasecurity/trivy-java-db"` |  |

diff --git a/deploy/helm/templates/configmaps/trivy.yaml b/deploy/helm/templates/configmaps/trivy.yaml
@@ -45,6 +45,8 @@ data:
   trivy.severity: {{ .Values.trivy.severity | quote }}
   trivy.slow: {{ .Values.trivy.slow | quote }}
   trivy.skipJavaDBUpdate: {{ .Values.trivy.skipJavaDBUpdate | quote }}
+  trivy.imageScanCacheDir: {{ .Values.trivy.imageScanCacheDir | quote }}
+  trivy.filesystemScanCacheDir: {{ .Values.trivy.filesystemScanCacheDir | quote }}
   trivy.dbRepository: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}"
   trivy.javaDbRepository: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}"
   trivy.command: {{ .Values.trivy.command | quote }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -437,6 +437,12 @@ trivy:
   # For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured
   # to run as the root user (runAsUser = 0).
   command: image
+  # -- imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter.
+  # Only applicable in image scan mode.
+  imageScanCacheDir: "/tmp/trivy/.cache"
+  # -- filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter.
+  # Only applicable in filesystem scan mode.
+  filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
   # -- serverUser this param is the server user to be used to download db from private registry
   serverUser: ""
   # -- serverPassword this param is the server user to be used to download db from private registry

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -2161,6 +2161,8 @@ data:
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   trivy.slow: "true"
   trivy.skipJavaDBUpdate: "false"
+  trivy.imageScanCacheDir: "/tmp/trivy/.cache"
+  trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db"
   trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
   trivy.javaDbRepository: "ghcr.io/aquasecurity/trivy-java-db"
   trivy.command: "image"

diff --git a/pkg/plugins/trivy/config.go b/pkg/plugins/trivy/config.go
@@ -56,6 +56,8 @@ const (
 	keyTrivyServerURL              = "trivy.serverURL"
 	keyTrivyClientServerSkipUpdate = "trivy.clientServerSkipUpdate"
 	keyTrivySkipJavaDBUpdate       = "trivy.skipJavaDBUpdate"
+	keyTrivyImageScanCacheDir      = "trivy.imageScanCacheDir"
+	keyTrivyFilesystemScanCacheDir = "trivy.filesystemScanCacheDir"
 	// nolint:gosec // This is not a secret, but a configuration value.
 	keyTrivyServerTokenHeader = "trivy.serverTokenHeader"
 	keyTrivyServerInsecure    = "trivy.serverInsecure"
@@ -205,6 +207,22 @@ func (c Config) GetSkipJavaDBUpdate() bool {
 	return boolVal
 }
 
+func (c Config) GetImageScanCacheDir() string {
+	val, ok := c.Data[keyTrivyImageScanCacheDir]
+	if !ok || val == "" {
+		return "/tmp/trivy/.cache"
+	}
+	return val
+}
+
+func (c Config) GetFilesystemScanCacheDir() string {
+	val, ok := c.Data[keyTrivyFilesystemScanCacheDir]
+	if !ok || val == "" {
+		return "/var/trivyoperator/trivy-db"
+	}
+	return val
+}
+
 func (c Config) GetServerInsecure() bool {
 	_, ok := c.Data[keyTrivyServerInsecure]
 	return ok

diff --git a/pkg/plugins/trivy/filesystem.go b/pkg/plugins/trivy/filesystem.go
@@ -66,6 +66,8 @@ func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Confi
 		return corev1.PodSpec{}, nil, err
 	}
 
+	cacheDir := config.GetFilesystemScanCacheDir()
+
 	volumeMounts := []corev1.VolumeMount{
 		{
 			Name:      FsSharedVolumeName,
@@ -106,7 +108,7 @@ func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Confi
 		},
 		Args: []string{
 			"--cache-dir",
-			"/var/trivyoperator/trivy-db",
+			cacheDir,
 			"image",
 			"--download-db-only",
 			"--db-repository",
@@ -474,9 +476,10 @@ func getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mo
 	scanners := Scanners(c)
 	imcs := imageConfigSecretScanner(c.Data)
 	skipUpdate := SkipDBUpdate(c)
+	cacheDir := c.GetFilesystemScanCacheDir()
 	args := []string{
 		"--cache-dir",
-		"/var/trivyoperator/trivy-db",
+		cacheDir,
 		"--quiet",
 		string(command),
 		scanners,

diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go
@@ -89,6 +89,8 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config,
 		return corev1.PodSpec{}, nil, err
 	}
 
+	cacheDir := config.GetImageScanCacheDir()
+
 	initContainer := corev1.Container{
 		Name:                     p.idGenerator.GenerateID(),
 		Image:                    trivyImageRef,
@@ -100,7 +102,7 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config,
 		},
 		Args: []string{
 			"--cache-dir",
-			"/tmp/trivy/.cache",
+			cacheDir,
 			"image",
 			"--download-db-only",
 			"--db-repository",
@@ -515,6 +517,7 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri
 	}
 	slow := Slow(c)
 	skipJavaDBUpdate := SkipJavaDBUpdate(c)
+	cacheDir := c.GetImageScanCacheDir()
 	vulnTypeArgs := vulnTypeFilter(ctx)
 	scanners := Scanners(c)
 	var vulnTypeFlag string
@@ -534,7 +537,7 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri
 		if !compressLogs {
 			args := []string{
 				"--cache-dir",
-				"/tmp/trivy/.cache",
+				cacheDir,
 				"--quiet",
 				"image",
 				scanners,
@@ -567,13 +570,13 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri
 
 			return command, args
 		}
-		return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json --server '%s' > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, getPkgList(ctx), trivyServerURL, resultFileName, resultFileName)}
+		return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir %s --quiet %s --format json --server '%s' > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, cacheDir, getPkgList(ctx), trivyServerURL, resultFileName, resultFileName)}
 	}
 	skipUpdate = SkipDBUpdate(c)
 	if !compressLogs {
 		args := []string{
 			"--cache-dir",
-			"/tmp/trivy/.cache",
+			cacheDir,
 			"--quiet",
 			"image",
 			scanners,
@@ -603,7 +606,7 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri
 		}
 		return command, args
 	}
-	return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, getPkgList(ctx), resultFileName, resultFileName)}
+	return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir %s --quiet %s --format json > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, cacheDir, getPkgList(ctx), resultFileName, resultFileName)}
 }
 
 func vulnTypeFilter(ctx trivyoperator.PluginContext) []string {

diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go
@@ -7367,3 +7367,83 @@ func TestGetSkipJavaDBUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestGetImageScanCacheDir(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configData trivy.Config
+		want       string
+	}{
+		{
+			name: "imageScanCacheDir param set non-default path",
+			configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
+				Data: map[string]string{
+					"trivy.imageScanCacheDir": "/home/trivy/.cache",
+				},
+			}},
+			want: "/home/trivy/.cache",
+		},
+		{
+			name: "imageScanCacheDir param set as empty string",
+			configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
+				Data: map[string]string{
+					"trivy.imageScanCacheDir": "",
+				},
+			}},
+			want: "/tmp/trivy/.cache",
+		},
+		{
+			name: "imageScanCacheDir param unset",
+			configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
+				Data: map[string]string{},
+			}},
+			want: "/tmp/trivy/.cache",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.configData.GetImageScanCacheDir()
+			assert.Equal(t, got, tc.want)
+		})
+	}
+}
+
+func TestGetFilesystemScanCacheDir(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configData trivy.Config
+		want       string
+	}{
+		{
+			name: "filesystemScanCacheDir param set non-default path",
+			configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
+				Data: map[string]string{
+					"trivy.filesystemScanCacheDir": "/home/trivyoperator/trivy-db",
+				},
+			}},
+			want: "/home/trivyoperator/trivy-db",
+		},
+		{
+			name: "filesystemScanCacheDir param set as empty string",
+			configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
+				Data: map[string]string{
+					"trivy.filesystemScanCacheDir": "",
+				},
+			}},
+			want: "/var/trivyoperator/trivy-db",
+		},
+		{
+			name: "filesystemScanCacheDir param unset",
+			configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{
+				Data: map[string]string{},
+			}},
+			want: "/var/trivyoperator/trivy-db",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := tc.configData.GetFilesystemScanCacheDir()
+			assert.Equal(t, got, tc.want)
+		})
+	}
+}