Skip to content

Commit

Permalink
feat: Update registry fallbacks [backport: release/v0.57] (#7944)
Browse files Browse the repository at this point in the history
Co-authored-by: simar7 <[email protected]>
Co-authored-by: DmitriyLewen <[email protected]>
  • Loading branch information
3 people authored Nov 18, 2024
1 parent 7dd70dc commit cd0d128
Show file tree
Hide file tree
Showing 15 changed files with 62 additions and 22 deletions.
18 changes: 17 additions & 1 deletion docs/docs/configuration/db.md
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,19 @@ You can reference the OCI manifest of [trivy-db].
`trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.


### Rate limits
Trivy hosts its databases on public OCI registries that are subject to their respective rate limits. While we strive to make the databases available to every
Trivy user, there are certain recommendations that one can make in order to ensure rate limits are not hit.

#### Authenticated use of Registries
By authenticating with the registries that Trivy hosts its DBs on can significantly increase the limit for users. For Amazon ECR, the details for rate limits can be found [ecr-limits].

Please see more info on how to authenticate with ECR [auth-ecr].

#### Caching DBs
Trivy DB and Trivy Java DB are published every 6 hours and 24 hours, respectively. If you are running Trivy scans more often than this, you can significantly benefit from caching the DBs on each run and updating them as needed.
Once example of this can be seen in Trivy Action, where with caching multiple CI invocations can be performed with a single download of the DBs. More on info Trivy Action caching can be found [trivy-action-cache].

## Java Index Database
The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
Expand Down Expand Up @@ -123,4 +136,7 @@ $ trivy clean --vuln-db --java-db
```

[trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
[ecr-limits]: https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html
[auth-ecr]: https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/
[trivy-action-cache]: https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#cache
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_filesystem.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ trivy filesystem [flags] PATH
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
Expand All @@ -56,7 +56,7 @@ trivy filesystem [flags] PATH
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_image.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ trivy image [flags] IMAGE_NAME
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
Expand Down Expand Up @@ -74,7 +74,7 @@ trivy image [flags] IMAGE_NAME
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--input string input file path instead of image name
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_kubernetes.md
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ trivy kubernetes [flags] [CONTEXT]
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
Expand Down Expand Up @@ -70,7 +70,7 @@ trivy kubernetes [flags] [CONTEXT]
--include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_repository.md
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
Expand All @@ -56,7 +56,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_rootfs.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ trivy rootfs [flags] ROOTDIR
--config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
Expand All @@ -58,7 +58,7 @@ trivy rootfs [flags] ROOTDIR
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ trivy sbom [flags] SBOM_PATH
--cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives.
Expand All @@ -41,7 +41,7 @@ trivy sbom [flags] SBOM_PATH
--ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies
Expand Down
2 changes: 1 addition & 1 deletion docs/docs/references/configuration/cli/trivy_server.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ trivy server [flags]
```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--download-db-only download/update vulnerability database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for server
Expand Down
4 changes: 2 additions & 2 deletions docs/docs/references/configuration/cli/trivy_vm.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ trivy vm [flags] VM_IMAGE
--compliance string compliance report to generate
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2])
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives.
Expand All @@ -52,7 +52,7 @@ trivy vm [flags] VM_IMAGE
--ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1])
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")
Expand Down
2 changes: 2 additions & 0 deletions docs/docs/references/configuration/config-file.md
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ db:

# Same as '--java-db-repository'
java-repository:
- mirror.gcr.io/aquasec/trivy-java-db:1
- ghcr.io/aquasecurity/trivy-java-db:1

# Same as '--skip-java-db-update'
Expand All @@ -115,6 +116,7 @@ db:

# Same as '--db-repository'
repository:
- mirror.gcr.io/aquasec/trivy-db:2
- ghcr.io/aquasecurity/trivy-db:2

# Same as '--skip-db-update'
Expand Down
5 changes: 5 additions & 0 deletions pkg/db/db.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ var (
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-db", db.SchemaVersion)
defaultGHCRRepository = lo.Must(name.NewTag(DefaultGHCRRepository))

// GCR mirror
DefaultGCRRepository = fmt.Sprintf("%s:%d", "mirror.gcr.io/aquasec/trivy-db", db.SchemaVersion)
defaultGCRRepository = lo.Must(name.NewTag(DefaultGCRRepository))

Init = db.Init
Close = db.Close
Path = db.Path
Expand Down Expand Up @@ -73,6 +77,7 @@ func Dir(cacheDir string) string {
func NewClient(dbDir string, quiet bool, opts ...Option) *Client {
o := &options{
dbRepositories: []name.Reference{
defaultGCRRepository,
defaultGHCRRepository,
},
}
Expand Down
8 changes: 8 additions & 0 deletions pkg/fanal/image/registry/google/google.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,15 @@ const gcrURLSuffix = ".gcr.io"
// Google artifact registry
const garURLSuffix = "-docker.pkg.dev"

// Google mirror registry
const gmrURLDomain = "mirror.gcr.io"

func (g *Registry) CheckOptions(domain string, option types.RegistryOptions) (intf.RegistryClient, error) {
// We assume there is no chance that `mirror.gcr.io` will require authentication.
// So we need to skip `mirror.gcr.io` to avoid errors confusing users when downloading DB's.
if domain == gmrURLDomain {
return nil, xerrors.Errorf("mirror.gcr.io doesn't require authentication")
}
if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) {
return nil, xerrors.Errorf("Google registry: %w", types.InvalidURLPattern)
}
Expand Down
4 changes: 2 additions & 2 deletions pkg/flag/db_flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,13 +53,13 @@ var (
DBRepositoryFlag = Flag[[]string]{
Name: "db-repository",
ConfigName: "db.repository",
Default: []string{db.DefaultGHCRRepository},
Default: []string{db.DefaultGCRRepository, db.DefaultGHCRRepository},
Usage: "OCI repository(ies) to retrieve trivy-db in order of priority",
}
JavaDBRepositoryFlag = Flag[[]string]{
Name: "java-db-repository",
ConfigName: "db.java-repository",
Default: []string{javadb.DefaultGHCRRepository},
Default: []string{javadb.DefaultGCRRepository, javadb.DefaultGHCRRepository},
Usage: "OCI repository(ies) to retrieve trivy-java-db in order of priority",
}
LightFlag = Flag[bool]{
Expand Down
Loading

0 comments on commit cd0d128

Please sign in to comment.