Bump Trivy to v0.54.1 (#2427)

* Bump trivy to v0.49.1 * Bump trivy to v0.51.4 - Fix registry version aquasecurity/trivy#6219; - Fix replace zap with slog aquasecurity/trivy#6466; - The fix with slog used a zap to slog bridge (official from zap, but exp). It didn't have a license file, so I hardcoded a commit version that had; - Adopt opts.Align() to validate options object; * Bump trivy to v0.52.2 * Temp change the workflow trigger to test changes * Free up space on runner * Bump trivy to v0.53.0 - Fix go clear cache aquasecurity/trivy#7010 * Bump trivy to v0.54.1 - Fix --vuln-type flag renamed into --pkg-types aquasecurity/trivy#7104; - Adopt package relationships aquasecurity/trivy#7237 * Rollback CI run on target * Clean 'scan cache clean' code and add timeout to it
elastic · Aug 13, 2024 · c66d2f0 · c66d2f0
1 parent e3cba3a
commit c66d2f0
Show file tree

Hide file tree

Showing 7 changed files with 509 additions and 331 deletions.
diff --git a/.buildkite/scripts/generate_notice.py b/.buildkite/scripts/generate_notice.py
@@ -30,6 +30,7 @@
     {"name": "github.com/golang/glog", "licenceType": "Apache-2.0"},
     {"name": "github.com/spdx/tools-golang", "licenceFile": "LICENSE.code", "licenceType": "Apache-2.0"},
     {"name": "github.com/aquasecurity/trivy-policies", "licenceType": "MIT"},
+    {"name": "github.com/csaf-poc/csaf_distribution/v3", "licenceType": "Apache-2.0"},
 ]
 
 # Additional third-party, non-source code dependencies, to add to the CSV output.

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -105,6 +105,17 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: false
+          docker-images: true
+          swap-storage: true
+
       - name: Check out the repo
         uses: actions/checkout@v4
 

diff --git a/go.mod b/go.mod
diff --git a/go.sum b/go.sum
diff --git a/internal/flavors/vulnerability.go b/internal/flavors/vulnerability.go
@@ -20,15 +20,16 @@ package flavors
 import (
 	"context"
 	"fmt"
+	"log/slog"
 
 	dlog "github.com/aquasecurity/go-dep-parser/pkg/log"
-	flog "github.com/aquasecurity/trivy/pkg/fanal/log"
 	tlog "github.com/aquasecurity/trivy/pkg/log"
 	"github.com/elastic/beats/v7/libbeat/beat"
 	agentconfig "github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/logp"
 	xlog "github.com/masahiro331/go-xfs-filesystem/log"
 	"go.uber.org/zap"
+	"go.uber.org/zap/exp/zapslog"
 
 	"github.com/elastic/cloudbeat/internal/config"
 	"github.com/elastic/cloudbeat/internal/dataprovider"
@@ -53,9 +54,8 @@ func NewVulnerability(b *beat.Beat, cfg *agentconfig.C) (beat.Beater, error) {
 	// Override trivy's logger
 	scanLog := zap.New(log.Core()).Sugar()
 	dlog.SetLogger(scanLog)
-	flog.SetLogger(scanLog)
 	xlog.SetLogger(scanLog)
-	tlog.Logger = scanLog
+	tlog.SetDefault(slog.New(zapslog.NewHandler(log.Core())))
 
 	ctx, cancel := context.WithCancel(context.Background())
 

diff --git a/internal/vulnerability/runner.go b/internal/vulnerability/runner.go
@@ -19,13 +19,15 @@ package vulnerability
 
 import (
 	"context"
-	"errors"
 	"time"
 
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
+	"github.com/aquasecurity/trivy/pkg/commands/clean"
+	fanal_types "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	trivy_types "github.com/aquasecurity/trivy/pkg/types"
 	"github.com/elastic/elastic-agent-libs/logp"
+	"github.com/google/go-containerregistry/pkg/name"
 )
 
 type VulnerabilityRunner struct {
@@ -48,17 +50,18 @@ func NewVulnerabilityRunner(log *logp.Logger) (VulnerabilityRunner, error) {
 			Quiet:   false,
 			Debug:   true,
 		},
-		VulnerabilityOptions: flag.VulnerabilityOptions{
-			VulnType: []string{trivy_types.VulnTypeOS, trivy_types.VulnTypeLibrary},
+		PackageOptions: flag.PackageOptions{
+			PkgTypes:         []string{trivy_types.PkgTypeOS, trivy_types.PkgTypeLibrary},
+			PkgRelationships: fanal_types.Relationships,
 		},
 		ScanOptions: flag.ScanOptions{
 			Scanners: []trivy_types.Scanner{trivy_types.VulnerabilityScanner},
 			RekorURL: "https://rekor.sigstore.dev",
 		},
 		DBOptions: flag.DBOptions{
 			NoProgress:       true,
-			DBRepository:     "ghcr.io/aquasecurity/trivy-db",
-			JavaDBRepository: "ghcr.io/aquasecurity/trivy-java-db",
+			DBRepository:     name.MustParseReference("ghcr.io/aquasecurity/trivy-db:2"),
+			JavaDBRepository: name.MustParseReference("ghcr.io/aquasecurity/trivy-java-db:1"),
 		},
 	}
 
@@ -82,24 +85,12 @@ func clearTrivyCache(ctx context.Context, log *logp.Logger) error {
 	log.Info("Starting VulnerabilityRunner.ClearCache")
 	defer log.Info("Ending VulnerabilityRunner.ClearCache")
 
-	// These are the three available cli settings for clean/reset translated to flag.Options object.
-	// 	{CacheOptions: flag.CacheOptions{ClearCache: true}},
-	// 	{DBOptions: flag.DBOptions{Reset: true}},
-	// 	{MisconfOptions: flag.MisconfOptions{ResetPolicyBundle: true}},
-	// In our case we will use only the ClearCache option.
-
-	errs := make([]error, 0, 2)
-	r, err := artifact.NewRunner(ctx, flag.Options{CacheOptions: flag.CacheOptions{ClearCache: true}})
-	if err != nil {
-		if !errors.Is(err, artifact.SkipScan) {
-			errs = append(errs, err)
-		}
-	}
-
-	// it should never go here (NewRunner should always return artifact.SkipScan and nil runner), but just in case it goes, lets close the runner.
-	if r != nil {
-		errs = append(errs, r.Close(ctx))
-	}
-
-	return errors.Join(errs...)
+	return clean.Run(ctx, flag.Options{
+		CleanOptions: flag.CleanOptions{
+			CleanScanCache: true,
+		},
+		GlobalOptions: flag.GlobalOptions{
+			Timeout: 5 * time.Second,
+		},
+	})
 }
diff --git a/internal/vulnerability/scanner.go b/internal/vulnerability/scanner.go
@@ -26,6 +26,7 @@ import (
 	"time"
 
 	db_types "github.com/aquasecurity/trivy-db/pkg/types"
+	fanal_types "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	trivy_types "github.com/aquasecurity/trivy/pkg/types"
 	"github.com/elastic/elastic-agent-libs/logp"
@@ -117,8 +118,9 @@ func (f VulnerabilityScanner) scan(ctx context.Context, snap ec2.EBSSnapshot) {
 			Quiet:   false,
 			Debug:   true,
 		},
-		VulnerabilityOptions: flag.VulnerabilityOptions{
-			VulnType: []string{trivy_types.VulnTypeOS, trivy_types.VulnTypeLibrary},
+		PackageOptions: flag.PackageOptions{
+			PkgTypes:         []string{trivy_types.PkgTypeOS, trivy_types.PkgTypeLibrary},
+			PkgRelationships: fanal_types.Relationships,
 		},
 		ScanOptions: flag.ScanOptions{
 			Target:   fmt.Sprint("ebs:", snap.SnapshotId),