diff --git a/deploy/helm/README.md b/deploy/helm/README.md index 0f63c8383..4736274f7 100644 --- a/deploy/helm/README.md +++ b/deploy/helm/README.md @@ -102,6 +102,7 @@ Keeps security report resources updated | trivy.dbRepository | string | `"aquasecurity/trivy-db"` | | | trivy.dbRepositoryInsecure | string | `"false"` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env) | | trivy.debug | bool | `false` | debug One of `true` or `false`. Enables debug mode. | +| trivy.filesystemScanCacheDir | string | `"/var/trivyoperator/trivy-db"` | filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter. Only applicable in filesystem scan mode. | | trivy.githubToken | string | `nil` | githubToken is the GitHub access token used by Trivy to download the vulnerabilities database from GitHub. Only applicable in Standalone mode. | | trivy.httpProxy | string | `nil` | httpProxy is the HTTP proxy used by Trivy to download the vulnerabilities database from GitHub. | | trivy.httpsProxy | string | `nil` | httpsProxy is the HTTPS proxy used by Trivy to download the vulnerabilities database from GitHub. | @@ -112,6 +113,7 @@ Keeps security report resources updated | trivy.image.registry | string | `"ghcr.io"` | registry of the Trivy image | | trivy.image.repository | string | `"aquasecurity/trivy"` | repository of the Trivy image | | trivy.image.tag | string | `"0.45.1"` | tag version of the Trivy image | +| trivy.imageScanCacheDir | string | `"/tmp/trivy/.cache"` | imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. Only applicable in image scan mode. | | trivy.insecureRegistries | object | `{}` | The registry to which insecure connections are allowed. There can be multiple registries with different keys. | | trivy.javaDbRegistry | string | `"ghcr.io"` | javaDbRegistry is the registry for the Java vulnerability database. | | trivy.javaDbRepository | string | `"aquasecurity/trivy-java-db"` | | diff --git a/deploy/helm/templates/configmaps/trivy.yaml b/deploy/helm/templates/configmaps/trivy.yaml index 35013b806..caa16648f 100644 --- a/deploy/helm/templates/configmaps/trivy.yaml +++ b/deploy/helm/templates/configmaps/trivy.yaml @@ -45,6 +45,8 @@ data: trivy.severity: {{ .Values.trivy.severity | quote }} trivy.slow: {{ .Values.trivy.slow | quote }} trivy.skipJavaDBUpdate: {{ .Values.trivy.skipJavaDBUpdate | quote }} + trivy.imageScanCacheDir: {{ .Values.trivy.imageScanCacheDir | quote }} + trivy.filesystemScanCacheDir: {{ .Values.trivy.filesystemScanCacheDir | quote }} trivy.dbRepository: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}" trivy.javaDbRepository: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}" trivy.command: {{ .Values.trivy.command | quote }} diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml index fe5c3c6d6..6eac57173 100644 --- a/deploy/helm/values.yaml +++ b/deploy/helm/values.yaml @@ -437,6 +437,12 @@ trivy: # For 'filesystem' and `rootfs` scanning, ensure that the `trivyOperator.scanJobPodTemplateContainerSecurityContext` is configured # to run as the root user (runAsUser = 0). command: image + # -- imageScanCacheDir the flag to set custom path for trivy image scan `cache-dir` parameter. + # Only applicable in image scan mode. + imageScanCacheDir: "/tmp/trivy/.cache" + # -- filesystemScanCacheDir the flag to set custom path for trivy filesystem scan `cache-dir` parameter. + # Only applicable in filesystem scan mode. + filesystemScanCacheDir: "/var/trivyoperator/trivy-db" # -- serverUser this param is the server user to be used to download db from private registry serverUser: "" # -- serverPassword this param is the server user to be used to download db from private registry diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml index 2e1a6f3f6..5c895fb0e 100644 --- a/deploy/static/trivy-operator.yaml +++ b/deploy/static/trivy-operator.yaml @@ -2161,6 +2161,8 @@ data: trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" trivy.slow: "true" trivy.skipJavaDBUpdate: "false" + trivy.imageScanCacheDir: "/tmp/trivy/.cache" + trivy.filesystemScanCacheDir: "/var/trivyoperator/trivy-db" trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db" trivy.javaDbRepository: "ghcr.io/aquasecurity/trivy-java-db" trivy.command: "image" diff --git a/pkg/plugins/trivy/config.go b/pkg/plugins/trivy/config.go index 997d92916..0fdec965b 100644 --- a/pkg/plugins/trivy/config.go +++ b/pkg/plugins/trivy/config.go @@ -56,6 +56,8 @@ const ( keyTrivyServerURL = "trivy.serverURL" keyTrivyClientServerSkipUpdate = "trivy.clientServerSkipUpdate" keyTrivySkipJavaDBUpdate = "trivy.skipJavaDBUpdate" + keyTrivyImageScanCacheDir = "trivy.imageScanCacheDir" + keyTrivyFilesystemScanCacheDir = "trivy.filesystemScanCacheDir" // nolint:gosec // This is not a secret, but a configuration value. keyTrivyServerTokenHeader = "trivy.serverTokenHeader" keyTrivyServerInsecure = "trivy.serverInsecure" @@ -205,6 +207,22 @@ func (c Config) GetSkipJavaDBUpdate() bool { return boolVal } +func (c Config) GetImageScanCacheDir() string { + val, ok := c.Data[keyTrivyImageScanCacheDir] + if !ok || val == "" { + return "/tmp/trivy/.cache" + } + return val +} + +func (c Config) GetFilesystemScanCacheDir() string { + val, ok := c.Data[keyTrivyFilesystemScanCacheDir] + if !ok || val == "" { + return "/var/trivyoperator/trivy-db" + } + return val +} + func (c Config) GetServerInsecure() bool { _, ok := c.Data[keyTrivyServerInsecure] return ok diff --git a/pkg/plugins/trivy/filesystem.go b/pkg/plugins/trivy/filesystem.go index f906d8d5d..1e873909d 100644 --- a/pkg/plugins/trivy/filesystem.go +++ b/pkg/plugins/trivy/filesystem.go @@ -66,6 +66,8 @@ func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Confi return corev1.PodSpec{}, nil, err } + cacheDir := config.GetFilesystemScanCacheDir() + volumeMounts := []corev1.VolumeMount{ { Name: FsSharedVolumeName, @@ -106,7 +108,7 @@ func GetPodSpecForStandaloneFSMode(ctx trivyoperator.PluginContext, config Confi }, Args: []string{ "--cache-dir", - "/var/trivyoperator/trivy-db", + cacheDir, "image", "--download-db-only", "--db-repository", @@ -474,9 +476,10 @@ func getFSScanningArgs(ctx trivyoperator.PluginContext, command Command, mode Mo scanners := Scanners(c) imcs := imageConfigSecretScanner(c.Data) skipUpdate := SkipDBUpdate(c) + cacheDir := c.GetFilesystemScanCacheDir() args := []string{ "--cache-dir", - "/var/trivyoperator/trivy-db", + cacheDir, "--quiet", string(command), scanners, diff --git a/pkg/plugins/trivy/image.go b/pkg/plugins/trivy/image.go index 2b1cb3179..f3edbd150 100644 --- a/pkg/plugins/trivy/image.go +++ b/pkg/plugins/trivy/image.go @@ -89,6 +89,8 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config, return corev1.PodSpec{}, nil, err } + cacheDir := config.GetImageScanCacheDir() + initContainer := corev1.Container{ Name: p.idGenerator.GenerateID(), Image: trivyImageRef, @@ -100,7 +102,7 @@ func GetPodSpecForStandaloneMode(ctx trivyoperator.PluginContext, config Config, }, Args: []string{ "--cache-dir", - "/tmp/trivy/.cache", + cacheDir, "image", "--download-db-only", "--db-repository", @@ -515,6 +517,7 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri } slow := Slow(c) skipJavaDBUpdate := SkipJavaDBUpdate(c) + cacheDir := c.GetImageScanCacheDir() vulnTypeArgs := vulnTypeFilter(ctx) scanners := Scanners(c) var vulnTypeFlag string @@ -534,7 +537,7 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri if !compressLogs { args := []string{ "--cache-dir", - "/tmp/trivy/.cache", + cacheDir, "--quiet", "image", scanners, @@ -567,13 +570,13 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri return command, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, getPkgList(ctx), trivyServerURL, resultFileName, resultFileName)} + return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir %s --quiet %s --format json --server '%s' > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, cacheDir, getPkgList(ctx), trivyServerURL, resultFileName, resultFileName)} } skipUpdate = SkipDBUpdate(c) if !compressLogs { args := []string{ "--cache-dir", - "/tmp/trivy/.cache", + cacheDir, "--quiet", "image", scanners, @@ -603,7 +606,7 @@ func getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, imageRef stri } return command, args } - return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, getPkgList(ctx), resultFileName, resultFileName)} + return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir %s --quiet %s --format json > /tmp/scan/%s && bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, cacheDir, getPkgList(ctx), resultFileName, resultFileName)} } func vulnTypeFilter(ctx trivyoperator.PluginContext) []string { diff --git a/pkg/plugins/trivy/plugin_test.go b/pkg/plugins/trivy/plugin_test.go index 74e276c79..ee2203673 100644 --- a/pkg/plugins/trivy/plugin_test.go +++ b/pkg/plugins/trivy/plugin_test.go @@ -7367,3 +7367,83 @@ func TestGetSkipJavaDBUpdate(t *testing.T) { }) } } + +func TestGetImageScanCacheDir(t *testing.T) { + testCases := []struct { + name string + configData trivy.Config + want string + }{ + { + name: "imageScanCacheDir param set non-default path", + configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ + Data: map[string]string{ + "trivy.imageScanCacheDir": "/home/trivy/.cache", + }, + }}, + want: "/home/trivy/.cache", + }, + { + name: "imageScanCacheDir param set as empty string", + configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ + Data: map[string]string{ + "trivy.imageScanCacheDir": "", + }, + }}, + want: "/tmp/trivy/.cache", + }, + { + name: "imageScanCacheDir param unset", + configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ + Data: map[string]string{}, + }}, + want: "/tmp/trivy/.cache", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + got := tc.configData.GetImageScanCacheDir() + assert.Equal(t, got, tc.want) + }) + } +} + +func TestGetFilesystemScanCacheDir(t *testing.T) { + testCases := []struct { + name string + configData trivy.Config + want string + }{ + { + name: "filesystemScanCacheDir param set non-default path", + configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ + Data: map[string]string{ + "trivy.filesystemScanCacheDir": "/home/trivyoperator/trivy-db", + }, + }}, + want: "/home/trivyoperator/trivy-db", + }, + { + name: "filesystemScanCacheDir param set as empty string", + configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ + Data: map[string]string{ + "trivy.filesystemScanCacheDir": "", + }, + }}, + want: "/var/trivyoperator/trivy-db", + }, + { + name: "filesystemScanCacheDir param unset", + configData: trivy.Config{PluginConfig: trivyoperator.PluginConfig{ + Data: map[string]string{}, + }}, + want: "/var/trivyoperator/trivy-db", + }, + } + for _, tc := range testCases { + t.Run(tc.name, func(t *testing.T) { + got := tc.configData.GetFilesystemScanCacheDir() + assert.Equal(t, got, tc.want) + }) + } +}