Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bump needed for trivy to v0.57.1 in harbor-scanner-trivy #21223

Open
stgdns opened this issue Nov 20, 2024 · 2 comments
Open

bump needed for trivy to v0.57.1 in harbor-scanner-trivy #21223

stgdns opened this issue Nov 20, 2024 · 2 comments
Assignees
@reasonerjt
Labels
target/2.12.1

Comments

@stgdns
Copy link

stgdns commented Nov 20, 2024

Hello everyone,

I'm proposing that trivy is updated to v0.57.1 in harbor-scanner-trivy.

Reason: trivy scanner is not usable since quite a while because the vuln-db download constantly fails, because of github rate-limiting at the organization level ("aquasecurity"), see:
aquasecurity/trivy#7938

fixed in version: trivy to v0.57.1

If this is not possible, then maybe the PR goharbor/harbor-scanner-trivy#7 could be merged and the helm chart at https://helm.goharbor.io updated, to allow setting the vuln-db URLs manually.

PS: since recently the new home of harbor-scanner-trivy is:
https://github.com/goharbor/harbor-scanner-trivy
@reasonerjt reasonerjt self-assigned this Nov 20, 2024
@benji78
Copy link

benji78 commented Nov 20, 2024
edited
Loading

Technically harbor v2.11.2 now contains harbor-scanner-trivy v0.32.0 (= trivy v0.56.1)
So you can already set SCANNER_TRIVY_DB_REPOSITORY and SCANNER_TRIVY_JAVA_DB_REPOSITORY environment variables to manually change the vulnerability database repositories (multiple db repositories should work).
This is not yet the case of harbor v2.12.0 (which only contains harbor-scanner-trivy v0.31.4 (= trivy v0.54.1))

If you use the helm chart, version 1.16.0 (harbor v2.12.0) has been updated with trivy-adapter-photon v2.12.0 (= harbor-scanner-trivy v0.32.0 = trivy v0.56.1) so you can set the environment variables directly in the chart's values:

    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

For previous versions, you can change the image version in the chart values (untested):

    trivy:
      image:
        tag: v2.12.0

For the new trivy defaults, an upgrade to trivy v0.57.1 is indeed necessary unless I hard code them in harbor-scanner-trivy#7 and it is merged.

@dan-m8t
Copy link

dan-m8t commented Nov 22, 2024

Just for clearance @benji78 - I recently updated Harbor to 2.12.0 because of the first trivy fix a few weeks ago.
Trivy adapter reports 0.56.1 as trivy version, so I would assume that this solution also works for 2.12?

scanner [ / ]$ trivy -v
Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-21 18:16:43.863577371 +0000 UTC
  NextUpdate: 2024-11-22 18:16:43.86357697 +0000 UTC
  DownloadedAt: 2024-11-21 21:46:14.990881268 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-22 02:45:24.819418998 +0000 UTC
  NextUpdate: 2024-11-25 02:45:24.819418878 +0000 UTC
  DownloadedAt: 2024-11-22 09:01:38.827602395 +0000 UTC

goharbor/trivy-adapter-photon:v2.12.0 is what I use (docker-compose setup)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reasonerjt reasonerjt

Labels
target/2.12.1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@reasonerjt @stgdns @benji78 @dan-m8t