From bca9b14bbfd75e7f7d4c6c9223aaefb76ec07968 Mon Sep 17 00:00:00 2001 From: Shengwen YU Date: Wed, 21 Feb 2024 10:13:52 +0800 Subject: [PATCH] feat: enable configuration of skip_java_db_update (#19996) Signed-off-by: Shengwen Yu --- Makefile | 4 ++-- make/harbor.yml.tmpl | 4 ++++ make/photon/prepare/templates/trivy-adapter/env.jinja | 1 + make/photon/prepare/utils/configs.py | 1 + 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index 857db70f6..e617ef882 100644 --- a/Makefile +++ b/Makefile @@ -104,8 +104,8 @@ PREPARE_VERSION_NAME=versions #versions REGISTRYVERSION=v2.8.3-patch-redis -TRIVYVERSION=v0.47.0 -TRIVYADAPTERVERSION=v0.30.19 +TRIVYVERSION=v0.49.1 +TRIVYADAPTERVERSION=v0.30.22 # version of registry for pulling the source code REGISTRY_SRC_TAG=v2.8.3 diff --git a/make/harbor.yml.tmpl b/make/harbor.yml.tmpl index 763855fd2..d60c1fadd 100644 --- a/make/harbor.yml.tmpl +++ b/make/harbor.yml.tmpl @@ -97,6 +97,10 @@ trivy: # `metadata.json` files and mount them in the `/home/scanner/.cache/trivy/db` path. skip_update: false # + # skipJavaDBUpdate If the flag is enabled you have to manually download the `trivy-java.db` file and mount it in the + # `/home/scanner/.cache/trivy/java-db/trivy-java.db` path + skip_java_db_update: false + # # The offline_scan option prevents Trivy from sending API requests to identify dependencies. # Scanning JAR files and pom.xml may require Internet access for better detection, but this option tries to avoid it. # For example, the offline mode will not try to resolve transitive dependencies in pom.xml when the dependency doesn't diff --git a/make/photon/prepare/templates/trivy-adapter/env.jinja b/make/photon/prepare/templates/trivy-adapter/env.jinja index c9402a136..406e6a91a 100644 --- a/make/photon/prepare/templates/trivy-adapter/env.jinja +++ b/make/photon/prepare/templates/trivy-adapter/env.jinja @@ -10,6 +10,7 @@ SCANNER_TRIVY_VULN_TYPE=os,library SCANNER_TRIVY_SEVERITY=UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL SCANNER_TRIVY_IGNORE_UNFIXED={{trivy_ignore_unfixed}} SCANNER_TRIVY_SKIP_UPDATE={{trivy_skip_update}} +SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE={{trivy_skip_java_db_update}} SCANNER_TRIVY_OFFLINE_SCAN={{trivy_offline_scan}} SCANNER_TRIVY_SECURITY_CHECKS={{trivy_security_check}} SCANNER_TRIVY_GITHUB_TOKEN={{trivy_github_token}} diff --git a/make/photon/prepare/utils/configs.py b/make/photon/prepare/utils/configs.py index f47ff4c40..a2ecc31af 100644 --- a/make/photon/prepare/utils/configs.py +++ b/make/photon/prepare/utils/configs.py @@ -212,6 +212,7 @@ def parse_yaml_config(config_file_path, with_trivy): trivy_configs = configs.get("trivy") or {} config_dict['trivy_github_token'] = trivy_configs.get("github_token") or '' config_dict['trivy_skip_update'] = trivy_configs.get("skip_update") or False + config_dict['trivy_skip_java_db_update'] = trivy_configs.get("skip_java_db_update") or False config_dict['trivy_offline_scan'] = trivy_configs.get("offline_scan") or False config_dict['trivy_security_check'] = trivy_configs.get("security_check") or 'vuln' config_dict['trivy_ignore_unfixed'] = trivy_configs.get("ignore_unfixed") or False