Merge pull request #129 from IABTechLab/ian-update-trivy

ian trivy database download problems fix

.github/workflows/shared-publish-java-to-docker-versioned.yaml

@@ -180,33 +180,14 @@ jobs:
             JAR_VERSION=${{ steps.version.outputs.new_version }}
             IMAGE_VERSION=${{ steps.version.outputs.new_version }}
 
-      - name: Generate Trivy vulnerability scan report
-        uses: aquasecurity/[email protected]
-        if: inputs.publish_vulnerabilities == 'true'
-        with:
-          image-ref: ${{ steps.extractImageTag.outputs.firstTag }}
-          format: 'sarif'
-          exit-code: '0'
-          ignore-unfixed: true
-          severity: 'CRITICAL,HIGH'
-          output: 'trivy-results.sarif'
-          hide-progress: true
-
-      - name: Upload Trivy scan report to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: inputs.publish_vulnerabilities == 'true'
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Test with Trivy vulnerability scanner
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: ${{ steps.extractImageTag.outputs.firstTag }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: ${{ inputs.vulnerability_severity }}
-          hide-progress: true
+      - name: Vulnerability Scan
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v2
+        with:
+          scan_severity: HIGH,CRITICAL
+          failure_severity: ${{ inputs.vulnerability_severity }}
+          publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }}
+          image_ref: ${{ steps.extractImageTag.outputs.firstTag }}
+          scan_type: image
 
       - name: Push to Docker
         uses: docker/build-push-action@v5

.github/workflows/shared-validate-image.yaml

@@ -95,39 +95,12 @@ jobs:
             JAR_VERSION=${{ steps.package.outputs.jar_version }}
             IMAGE_VERSION=${{ steps.package.outputs.jar_version }}-${{ steps.package.outputs.git_commit }}
 
-      - name: Run Trivy vulnerability scanner and report to GitHub
-        uses: aquasecurity/[email protected]
+      - name: Vulnerability Scan
+        uses: IABTechLab/uid2-shared-actions/actions/vulnerability_scan@v2
         with:
-          image-ref: ${{ steps.meta.outputs.tags }}
-          format: 'sarif'
-          exit-code: '0'
-          ignore-unfixed: true
-          severity: ${{ inputs.failure_severity }}
-          output: 'trivy-results.sarif'
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        if: inputs.upload_vulnerabilities
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Local vulnerability scanner for MEDIUM,HIGH,CRITICAL for reporting
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: ${{ steps.meta.outputs.tags }}
-          format: 'table'
-          exit-code: '0'
-          ignore-unfixed: true
-          severity: 'MEDIUM,HIGH,CRITICAL'
-          hide-progress: true
-
-      - name: Local vulnerability scanner fail for given severity
-        uses: aquasecurity/[email protected]
-        if: inputs.fail_on_error
-        with:
-          image-ref: ${{ steps.meta.outputs.tags }}
-          format: 'table'
-          exit-code: '1'
-          ignore-unfixed: true
-          severity: ${{ inputs.failure_severity }}
-          hide-progress: true
+          scan_severity: HIGH,CRITICAL
+          failure_severity: ${{ inputs.vulnerability_severity }}
+          publish_vulnerabilities: ${{ inputs.publish_vulnerabilities }}
+          image_ref: ${{ steps.meta.outputs.tags }}
+          scan_type: image
+          full_report: 'true'

actions/vulnerability_scan/action.yaml

@@ -16,6 +16,9 @@ inputs:
   scan_type:
     description: The scan-type for aquasecurity/trivy-action action. Default to a fs scan.
     default: fs
+  full_report:
+    description: Whether to scan and report for MEDIUM,HIGH,CRITICAL
+    default: 'false'
 runs:
   using: "composite"
   steps:
@@ -32,8 +35,48 @@ runs:
       cp tmp-vulnerability-scan/trivy-secret.yaml ./trivy-secret.yaml
       rm -rf tmp-vulnerability-scan
 
+  - name: Setup oras
+    uses: oras-project/setup-oras@v1
+
+  - name: Get current date
+    id: date
+    shell: bash
+    run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+  - name: Check Cache for Databases
+    id: cache-check
+    uses: actions/cache@v4
+    with:
+      path: ${{ github.workspace }}/.cache/trivy
+      key: cache-trivy-${{ steps.date.outputs.date }}
+
+  - name: Download and extract the vulnerability DB
+    if: ${{ !steps.cache-check.outputs.cache-hit }}
+    shell: bash
+    run: |
+      mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+      oras pull ghcr.io/aquasecurity/trivy-db:2
+      tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+      rm db.tar.gz
+
+  - name: Download and extract the Java DB
+    if: ${{ !steps.cache-check.outputs.cache-hit }}
+    shell: bash
+    run: |
+      mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+      oras pull ghcr.io/aquasecurity/trivy-java-db:1
+      tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+      rm javadb.tar.gz
+
+  - name: Cache DBs
+    uses: actions/cache/save@v4
+    if: ${{ !steps.cache-check.outputs.cache-hit }}
+    with:
+      path: ${{ github.workspace }}/.cache/trivy
+      key: cache-trivy-${{ steps.date.outputs.date }}
+
   - name: Generate Trivy vulnerability scan report
-    uses: aquasecurity/trivy-action@0.14.0
+    uses: aquasecurity/trivy-action@0.26.0
     if: inputs.publish_vulnerabilities == 'true'
     with:
       image-ref: ${{ inputs.image_ref }}
@@ -44,15 +87,33 @@ runs:
       severity: ${{ inputs.scan_severity }}
       output: 'trivy-results.sarif'
       hide-progress: true
+    env:
+      TRIVY_SKIP_DB_UPDATE: true
+      TRIVY_SKIP_JAVA_DB_UPDATE: true
 
   - name: Upload Trivy scan report to GitHub Security tab
     uses: github/codeql-action/upload-sarif@v3
     if: inputs.publish_vulnerabilities == 'true'
     with:
       sarif_file: 'trivy-results.sarif'
 
+  - name: Local vulnerability scanner for MEDIUM,HIGH,CRITICAL for reporting
+    if: ${{ inputs.full_report  == 'true' }}
+    uses: aquasecurity/[email protected]
+    with:
+      image-ref: ${{ inputs.image_ref }}
+      scan-type: ${{ inputs.scan_type }}
+      format: 'table'
+      exit-code: '0'
+      ignore-unfixed: true
+      severity: 'MEDIUM,HIGH,CRITICAL'
+      hide-progress: true
+    env:
+      TRIVY_SKIP_DB_UPDATE: true
+      TRIVY_SKIP_JAVA_DB_UPDATE: true
+
   - name: Test with Trivy vulnerability scanner
-    uses: aquasecurity/trivy-action@0.14.0
+    uses: aquasecurity/trivy-action@0.26.0
     with:
       image-ref: ${{ inputs.image_ref }}
       scan-type: ${{ inputs.scan_type }}
@@ -61,3 +122,6 @@ runs:
       ignore-unfixed: true
       severity: ${{ inputs.failure_severity }}
       hide-progress: true
+    env:
+      TRIVY_SKIP_DB_UPDATE: true
+      TRIVY_SKIP_JAVA_DB_UPDATE: true

actions/vulnerability_scan_filesystem/action.yaml

@@ -27,8 +27,48 @@ runs:
       cp tmp-vulnerability-scan/trivy-secret.yaml ./trivy-secret.yaml
       rm -rf tmp-vulnerability-scan
 
+  - name: Setup oras
+    uses: oras-project/setup-oras@v1
+
+  - name: Get current date
+    id: date
+    shell: bash
+    run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+
+  - name: Check Cache for Databases
+    id: cache-check
+    uses: actions/cache@v4
+    with:
+      path: ${{ github.workspace }}/.cache/trivy
+      key: cache-trivy-${{ steps.date.outputs.date }}
+
+  - name: Download and extract the vulnerability DB
+    if: ${{ !steps.cache-check.outputs.cache-hit }}
+    shell: bash
+    run: |
+      mkdir -p $GITHUB_WORKSPACE/.cache/trivy/db
+      oras pull ghcr.io/aquasecurity/trivy-db:2
+      tar -xzf db.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/db
+      rm db.tar.gz
+
+  - name: Download and extract the Java DB
+    if: ${{ !steps.cache-check.outputs.cache-hit }}
+    shell: bash
+    run: |
+      mkdir -p $GITHUB_WORKSPACE/.cache/trivy/java-db
+      oras pull ghcr.io/aquasecurity/trivy-java-db:1
+      tar -xzf javadb.tar.gz -C $GITHUB_WORKSPACE/.cache/trivy/java-db
+      rm javadb.tar.gz
+
+  - name: Cache DBs
+    uses: actions/cache/save@v4
+    if: ${{ !steps.cache-check.outputs.cache-hit }}
+    with:
+      path: ${{ github.workspace }}/.cache/trivy
+      key: cache-trivy-${{ steps.date.outputs.date }}
+
   - name: Generate Trivy vulnerability scan report
-    uses: aquasecurity/trivy-action@0.14.0
+    uses: aquasecurity/trivy-action@0.26.0
     if: inputs.publish_vulnerabilities == 'true'
     with:
       scan-type: 'fs'
@@ -38,6 +78,9 @@ runs:
       severity: ${{ inputs.scan_severity }}
       output: 'trivy-results.sarif'
       hide-progress: true
+    env:
+      TRIVY_SKIP_DB_UPDATE: true
+      TRIVY_SKIP_JAVA_DB_UPDATE: true
 
   - name: Upload Trivy scan report to GitHub Security tab
     uses: github/codeql-action/upload-sarif@v3
@@ -46,11 +89,14 @@ runs:
       sarif_file: 'trivy-results.sarif'
 
   - name: Test with Trivy vulnerability scanner
-    uses: aquasecurity/trivy-action@0.14.0
+    uses: aquasecurity/trivy-action@0.26.0
     with:
       scan-type: 'fs'
       format: 'table'
       exit-code: '1'
       ignore-unfixed: true
       severity: ${{ inputs.failure_severity }}
       hide-progress: true
+    env:
+      TRIVY_SKIP_DB_UPDATE: true
+      TRIVY_SKIP_JAVA_DB_UPDATE: true