Bump Trivy to v0.54.1

.buildkite/scripts/generate_notice.py

@@ -30,6 +30,7 @@
     {"name": "github.com/golang/glog", "licenceType": "Apache-2.0"},
     {"name": "github.com/spdx/tools-golang", "licenceFile": "LICENSE.code", "licenceType": "Apache-2.0"},
     {"name": "github.com/aquasecurity/trivy-policies", "licenceType": "MIT"},
+    {"name": "github.com/csaf-poc/csaf_distribution/v3", "licenceType": "Apache-2.0"},
 ]
 
 # Additional third-party, non-source code dependencies, to add to the CSV output.

.github/workflows/ci.yml

@@ -105,6 +105,17 @@ jobs:
     runs-on: ubuntu-22.04
     timeout-minutes: 30
     steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: false
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: false
+          docker-images: true
+          swap-storage: true
+
       - name: Check out the repo
         uses: actions/checkout@v4
 

internal/flavors/vulnerability.go

@@ -20,15 +20,16 @@ package flavors
 import (
 	"context"
 	"fmt"
+	"log/slog"
 
 	dlog "github.com/aquasecurity/go-dep-parser/pkg/log"
-	flog "github.com/aquasecurity/trivy/pkg/fanal/log"
 	tlog "github.com/aquasecurity/trivy/pkg/log"
 	"github.com/elastic/beats/v7/libbeat/beat"
 	agentconfig "github.com/elastic/elastic-agent-libs/config"
 	"github.com/elastic/elastic-agent-libs/logp"
 	xlog "github.com/masahiro331/go-xfs-filesystem/log"
 	"go.uber.org/zap"
+	"go.uber.org/zap/exp/zapslog"
 
 	"github.com/elastic/cloudbeat/internal/config"
 	"github.com/elastic/cloudbeat/internal/dataprovider"
@@ -53,9 +54,8 @@ func NewVulnerability(b *beat.Beat, cfg *agentconfig.C) (beat.Beater, error) {
 	// Override trivy's logger
 	scanLog := zap.New(log.Core()).Sugar()
 	dlog.SetLogger(scanLog)
-	flog.SetLogger(scanLog)
 	xlog.SetLogger(scanLog)
-	tlog.Logger = scanLog
+	tlog.SetDefault(slog.New(zapslog.NewHandler(log.Core())))
 
 	ctx, cancel := context.WithCancel(context.Background())
 

internal/vulnerability/runner.go

@@ -23,9 +23,12 @@ import (
 	"time"
 
 	"github.com/aquasecurity/trivy/pkg/commands/artifact"
+	"github.com/aquasecurity/trivy/pkg/commands/clean"
+	fanal_types "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	trivy_types "github.com/aquasecurity/trivy/pkg/types"
 	"github.com/elastic/elastic-agent-libs/logp"
+	"github.com/google/go-containerregistry/pkg/name"
 )
 
 type VulnerabilityRunner struct {
@@ -48,17 +51,18 @@ func NewVulnerabilityRunner(log *logp.Logger) (VulnerabilityRunner, error) {
 			Quiet:   false,
 			Debug:   true,
 		},
-		VulnerabilityOptions: flag.VulnerabilityOptions{
-			VulnType: []string{trivy_types.VulnTypeOS, trivy_types.VulnTypeLibrary},
+		PackageOptions: flag.PackageOptions{
+			PkgTypes:         []string{trivy_types.PkgTypeOS, trivy_types.PkgTypeLibrary},
+			PkgRelationships: fanal_types.Relationships,
 		},
 		ScanOptions: flag.ScanOptions{
 			Scanners: []trivy_types.Scanner{trivy_types.VulnerabilityScanner},
 			RekorURL: "https://rekor.sigstore.dev",
 		},
 		DBOptions: flag.DBOptions{
 			NoProgress:       true,
-			DBRepository:     "ghcr.io/aquasecurity/trivy-db",
-			JavaDBRepository: "ghcr.io/aquasecurity/trivy-java-db",
+			DBRepository:     name.MustParseReference("ghcr.io/aquasecurity/trivy-db:2"),
+			JavaDBRepository: name.MustParseReference("ghcr.io/aquasecurity/trivy-java-db:1"),
 		},
 	}
 
@@ -82,24 +86,12 @@ func clearTrivyCache(ctx context.Context, log *logp.Logger) error {
 	log.Info("Starting VulnerabilityRunner.ClearCache")
 	defer log.Info("Ending VulnerabilityRunner.ClearCache")
 
-	// These are the three available cli settings for clean/reset translated to flag.Options object.
-	// 	{CacheOptions: flag.CacheOptions{ClearCache: true}},
-	// 	{DBOptions: flag.DBOptions{Reset: true}},
-	// 	{MisconfOptions: flag.MisconfOptions{ResetPolicyBundle: true}},
-	// In our case we will use only the ClearCache option.
-
-	errs := make([]error, 0, 2)
-	r, err := artifact.NewRunner(ctx, flag.Options{CacheOptions: flag.CacheOptions{ClearCache: true}})
+	err := clean.Run(ctx, flag.Options{CleanOptions: flag.CleanOptions{CleanScanCache: true}})
 	if err != nil {
 		if !errors.Is(err, artifact.SkipScan) {
-			errs = append(errs, err)
+			return err
 		}
 	}
 
-	// it should never go here (NewRunner should always return artifact.SkipScan and nil runner), but just in case it goes, lets close the runner.
-	if r != nil {
-		errs = append(errs, r.Close(ctx))
-	}
-
-	return errors.Join(errs...)
+	return nil
 }

internal/vulnerability/scanner.go

@@ -26,6 +26,7 @@ import (
 	"time"
 
 	db_types "github.com/aquasecurity/trivy-db/pkg/types"
+	fanal_types "github.com/aquasecurity/trivy/pkg/fanal/types"
 	"github.com/aquasecurity/trivy/pkg/flag"
 	trivy_types "github.com/aquasecurity/trivy/pkg/types"
 	"github.com/elastic/elastic-agent-libs/logp"
@@ -117,8 +118,9 @@ func (f VulnerabilityScanner) scan(ctx context.Context, snap ec2.EBSSnapshot) {
 			Quiet:   false,
 			Debug:   true,
 		},
-		VulnerabilityOptions: flag.VulnerabilityOptions{
-			VulnType: []string{trivy_types.VulnTypeOS, trivy_types.VulnTypeLibrary},
+		PackageOptions: flag.PackageOptions{
+			PkgTypes:         []string{trivy_types.PkgTypeOS, trivy_types.PkgTypeLibrary},
+			PkgRelationships: fanal_types.Relationships,
 		},
 		ScanOptions: flag.ScanOptions{
 			Target:   fmt.Sprint("ebs:", snap.SnapshotId),