feat: add support for trivy dbRepository and javaDBRepository

Signed-off-by: Benjamin Bordes <[email protected]>
goharbor · Oct 24, 2024 · 94b04c6 · 94b04c6
1 parent b051a07
commit 94b04c6
Show file tree

Hide file tree

Showing 7 changed files with 109 additions and 81 deletions.
diff --git a/README.md b/README.md
diff --git a/helm/harbor-scanner-trivy/README.md b/helm/harbor-scanner-trivy/README.md
diff --git a/helm/harbor-scanner-trivy/templates/statefulset.yaml b/helm/harbor-scanner-trivy/templates/statefulset.yaml
@@ -77,6 +77,10 @@ spec:
               value: {{ .Values.scanner.trivy.skipJavaDBUpdate | quote }}
             - name: "SCANNER_TRIVY_OFFLINE_SCAN"
               value: {{ .Values.scanner.trivy.offlineScan | quote }}
+            - name: "SCANNER_TRIVY_DB_REPOSITORY"
+              value: {{ .Values.scanner.trivy.dbRepository | quote }}
+            - name: "SCANNER_TRIVY_JAVA_DB_REPOSITORY"
+              value: {{ .Values.scanner.trivy.javaDBRepository | quote }}
             - name: "SCANNER_TRIVY_GITHUB_TOKEN"
               valueFrom:
                 secretKeyRef:

diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml
@@ -78,6 +78,10 @@ scanner:
     ## If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the
     ## `/home/scanner/.cache/trivy/java-db/trivy-java.db` path (see `cacheDir`).
     skipJavaDBUpdate: false
+    # OCI repository to retrieve the trivy vulnerability database from
+    dbRepository: "ghcr.io/aquasecurity/trivy-db"
+    # OCI repository to retrieve the Java trivy vulnerability database from
+    javaDBRepository: "ghcr.io/aquasecurity/trivy-java-db"
     # offlineScan the flag to disable external API requests to identify dependencies.
     offlineScan: false
     ## gitHubToken the GitHub access token to download Trivy DB

diff --git a/pkg/etc/config.go b/pkg/etc/config.go
@@ -34,6 +34,8 @@ type Trivy struct {
 	IgnorePolicy     string        `env:"SCANNER_TRIVY_IGNORE_POLICY"`
 	SkipDBUpdate     bool          `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"`
 	SkipJavaDBUpdate bool          `env:"SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" envDefault:"false"`
+	DBRepository     string        `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"`
+	JavaDBRepository string        `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"`
 	OfflineScan      bool          `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"`
 	GitHubToken      string        `env:"SCANNER_TRIVY_GITHUB_TOKEN"`
 	Insecure         bool          `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"`

diff --git a/pkg/trivy/wrapper.go b/pkg/trivy/wrapper.go
@@ -203,6 +203,14 @@ func (w *wrapper) prepareScanCmd(target ScanTarget, outputFile string, opt ScanO
 		args = append(args, "--ignore-policy", w.config.IgnorePolicy)
 	}
 
+	if w.config.DBRepository != "" {
+		args = append(args, "--db-repository", w.config.DBRepository)
+	}
+
+	if w.config.JavaDBRepository != "" {
+		args = append(args, "--java-db-repository", w.config.JavaDBRepository)
+	}
+
 	if w.config.DebugMode {
 		args = append(args, "--debug")
 	}

diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go
@@ -115,6 +115,8 @@ func TestWrapper_Scan(t *testing.T) {
 			IgnorePolicy:     "/home/scanner/opa/policy.rego",
 			SkipDBUpdate:     true,
 			SkipJavaDBUpdate: true,
+			DBRepository:     "ghcr.io/aquasecurity/trivy-db",
+			JavaDBRepository: "ghcr.io/aquasecurity/trivy-java-db",
 			GitHubToken:      "<github_token>",
 			Insecure:         true,
 			Timeout:          5 * time.Minute,
@@ -153,6 +155,10 @@ func TestWrapper_Scan(t *testing.T) {
 				"--ignore-unfixed",
 				"--skip-db-update",
 				"--skip-java-db-update",
+				"--db-repository",
+				"ghcr.io/aquasecurity/trivy-db",
+				"--java-db-repository",
+				"ghcr.io/aquasecurity/trivy-java-db",
 				"--ignore-policy",
 				"/home/scanner/opa/policy.rego",
 				"--debug",