Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bump needed for trivy to v0.57.1 in harbor-scanner-trivy #21223

Closed
stgdns opened this issue Nov 20, 2024 · 5 comments
Closed

bump needed for trivy to v0.57.1 in harbor-scanner-trivy #21223

stgdns opened this issue Nov 20, 2024 · 5 comments
Assignees

Comments

@stgdns
Copy link

stgdns commented Nov 20, 2024

Hello everyone,

I'm proposing that trivy is updated to v0.57.1 in harbor-scanner-trivy.

Reason: trivy scanner is not usable since quite a while because the vuln-db download constantly fails, because of github rate-limiting at the organization level ("aquasecurity"), see:
aquasecurity/trivy#7938

fixed in version: trivy to v0.57.1

If this is not possible, then maybe the PR goharbor/harbor-scanner-trivy#7 could be merged and the helm chart at https://helm.goharbor.io updated, to allow setting the vuln-db URLs manually.

PS: since recently the new home of harbor-scanner-trivy is:
https://github.com/goharbor/harbor-scanner-trivy

@benji78
Copy link

benji78 commented Nov 20, 2024

Technically harbor v2.11.2 now contains harbor-scanner-trivy v0.32.0 (= trivy v0.56.1)
So you can already set SCANNER_TRIVY_DB_REPOSITORY and SCANNER_TRIVY_JAVA_DB_REPOSITORY environment variables to manually change the vulnerability database repositories (multiple db repositories should work).
This is not yet the case of harbor v2.12.0 (which only contains harbor-scanner-trivy v0.31.4 (= trivy v0.54.1))

If you use the helm chart, version 1.16.0 (harbor v2.12.0) has been updated with trivy-adapter-photon v2.12.0 (= harbor-scanner-trivy v0.32.0 = trivy v0.56.1) so you can set the environment variables directly in the chart's values:

    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

For previous versions, you can change the image version in the chart values (untested):

    trivy:
      image:
        tag: v2.12.0

For the new trivy defaults, an upgrade to trivy v0.57.1 is indeed necessary unless I hard code them in harbor-scanner-trivy#7 and it is merged.

@dan-m8t
Copy link

dan-m8t commented Nov 22, 2024

Just for clearance @benji78 - I recently updated Harbor to 2.12.0 because of the first trivy fix a few weeks ago.
Trivy adapter reports 0.56.1 as trivy version, so I would assume that this solution also works for 2.12?

scanner [ / ]$ trivy -v
Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-21 18:16:43.863577371 +0000 UTC
  NextUpdate: 2024-11-22 18:16:43.86357697 +0000 UTC
  DownloadedAt: 2024-11-21 21:46:14.990881268 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-22 02:45:24.819418998 +0000 UTC
  NextUpdate: 2024-11-25 02:45:24.819418878 +0000 UTC
  DownloadedAt: 2024-11-22 09:01:38.827602395 +0000 UTC

goharbor/trivy-adapter-photon:v2.12.0 is what I use (docker-compose setup)

@reasonerjt
Copy link
Contributor

@dan-m8t I think the answer is yes.

@reasonerjt
Copy link
Contributor

We'll resolve this one after trivy adapter's GAed, reopening...

@reasonerjt reasonerjt reopened this Dec 10, 2024
@reasonerjt
Copy link
Contributor

reasonerjt commented Dec 13, 2024

Closing the issue as v2.12.1 has pinned to trivy adapter v0.32.1 and trivy v0.57.1 via #21308

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants