From 46f97ecf6c6ef15d628c32de0ddad4935bdff7e3 Mon Sep 17 00:00:00 2001 From: Shengwen Yu Date: Wed, 19 Jan 2022 17:42:12 +0800 Subject: [PATCH] feat: bump TRIVYVERSION to v0.22.0 and bump TRIVYADAPTERVERSION to v0.25.0 Signed-off-by: Shengwen Yu --- Makefile | 4 ++-- make/harbor.yml.tmpl | 8 ++++++++ make/photon/prepare/templates/trivy-adapter/env.jinja | 1 + make/photon/prepare/utils/configs.py | 1 + 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 3263b85ad..60a66a991 100644 --- a/Makefile +++ b/Makefile @@ -111,8 +111,8 @@ PREPARE_VERSION_NAME=versions REGISTRYVERSION=v2.7.1-patch-2819-2553-redis NOTARYVERSION=v0.6.1 NOTARYMIGRATEVERSION=v4.11.0 -TRIVYVERSION=v0.20.1 -TRIVYADAPTERVERSION=v0.24.0 +TRIVYVERSION=v0.22.0 +TRIVYADAPTERVERSION=v0.25.0 # version of chartmuseum for pulling the source code CHARTMUSEUM_SRC_TAG=v0.13.1 diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl index 759cdc6a9..a61d7bc07 100644 --- a/make/harbor.yml.tmpl +++ b/make/harbor.yml.tmpl @@ -78,6 +78,14 @@ trivy: # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. skip_update: false # + # The offline_scan option prevents Trivy from sending API requests to identify dependencies. + # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. + # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't + # exist in the local repositories. It means a number of detected vulnerabilities might be fewer in offline mode. + # It would work if all the dependencies are in local. + # This option doesn’t affect DB download. You need to specify "skip-update" as well as "offline-scan" in an air-gapped environment. + offline_scan: false + # # insecure The flag to skip verifying registry certificate insecure: false # github_token The GitHub access token to download Trivy DB diff --git a/make/photon/prepare/templates/trivy-adapter/env.jinja b/make/photon/prepare/templates/trivy-adapter/env.jinja index 99292f439..6de37861b 100644 --- a/make/photon/prepare/templates/trivy-adapter/env.jinja +++ b/make/photon/prepare/templates/trivy-adapter/env.jinja @@ -10,6 +10,7 @@ SCANNER_TRIVY_VULN_TYPE=os,library SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}} SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}} +SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}} SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}} SCANNER_TRIVY_INSECURE={{trivy_insecure}} SCANNER_TRIVY_TIMEOUT={{trivy_timeout}} diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index 77a0a5c92..f1c6b786f 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -222,6 +222,7 @@ def parse_yaml_config(config_file_path, with_notary, with_trivy, with_chartmuseu trivy_configs = configs.get("trivy") or {} config_dict['trivy_github_token'] = trivy_configs.get("github_token") or '' config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False + config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False config_dict['trivy_insecure'] = trivy_configs.get("insecure") or False config_dict['trivy_timeout'] = trivy_configs.get("timeout") or '5m0s'