From 178fe15472f4410ab1d97f64ac8138cf5354f472 Mon Sep 17 00:00:00 2001 From: Daniel Jiang Date: Wed, 4 Dec 2024 00:44:20 +0800 Subject: [PATCH] Bump up trivy to 0.57.1 and prepare for 0.32.1 release Signed-off-by: Daniel Jiang --- Dockerfile | 2 +- Dockerfile.dev | 2 +- README.md | 83 ++++++++++++------------- helm/harbor-scanner-trivy/Chart.yaml | 4 +- helm/harbor-scanner-trivy/README.md | 88 +++++++++++++-------------- helm/harbor-scanner-trivy/values.yaml | 2 +- pkg/etc/config.go | 4 +- pkg/trivy/wrapper_test.go | 4 +- test/component/component_test.go | 2 +- 9 files changed, 96 insertions(+), 95 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0b484ec..3ddb3dd 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,5 +1,5 @@ # That's the only place where you're supposed to specify version of Trivy. -ARG TRIVY_VERSION=0.56.1 +ARG TRIVY_VERSION=0.57.1 FROM aquasec/trivy:${TRIVY_VERSION} diff --git a/Dockerfile.dev b/Dockerfile.dev index f9c68d3..712c5ad 100644 --- a/Dockerfile.dev +++ b/Dockerfile.dev @@ -1,5 +1,5 @@ # That's the only place where you're supposed to specify version of Trivy. -ARG TRIVY_VERSION=0.56.1 +ARG TRIVY_VERSION=0.57.1 ARG SKAFFOLD_GO_GCFLAGS FROM golang:1.22 AS builder diff --git a/README.md b/README.md index 9c83869..38a989c 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ The following matrix indicates the version of Trivy and Trivy adapter installed | Harbor | Trivy Adapter | Trivy | |-------------------------|---------------|-----------------| +| harbor v2.12.1 | v0.32.1 | [trivy v0.57.1] | | harbor v2.12.0 | v0.32.0 | [trivy v0.56.1] | | harbor v2.11.1 | v0.31.4 | [trivy v0.54.1] | | - | v0.31.3 | [trivy v0.52.2] | @@ -68,47 +69,47 @@ designated as the default scanner. Configuration of the adapter is done via environment variables at startup. -| Name | Default | Description | -|-----------------------------------------|--------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. | -| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server | -| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file | -| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file | -| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate | -| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body | -| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response | -| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled | -| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics | -| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory | -| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | -| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | -| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | -| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | -| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | -| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | -| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | -| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. | -| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. | -| `SCANNER_TRIVY_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-db` | OCI repository to retrieve the trivy vulnerability database from | -| `SCANNER_TRIVY_JAVA_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-java-db` | OCI repository to retrieve the Java trivy vulnerability database from | -| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. | -| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) | -| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | -| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion | -| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store | -| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports | -| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis | -| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue | -| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | -| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool | -| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool | -| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | -| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server | -| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply | -| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. | -| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server | -| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server | -| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to | +| Name | Default | Description | +|-----------------------------------------|----------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `SCANNER_LOG_LEVEL` | `info` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it. | +| `SCANNER_API_SERVER_ADDR` | `:8080` | Binding address for the API server | +| `SCANNER_API_SERVER_TLS_CERTIFICATE` | N/A | The absolute path to the x509 certificate file | +| `SCANNER_API_SERVER_TLS_KEY` | N/A | The absolute path to the x509 private key file | +| `SCANNER_API_SERVER_CLIENT_CAS` | N/A | A list of absolute paths to x509 root certificate authorities that the api use if required to verify a client certificate | +| `SCANNER_API_SERVER_READ_TIMEOUT` | `15s` | The maximum duration for reading the entire request, including the body | +| `SCANNER_API_SERVER_WRITE_TIMEOUT` | `15s` | The maximum duration before timing out writes of the response | +| `SCANNER_API_SERVER_IDLE_TIMEOUT` | `60s` | The maximum amount of time to wait for the next request when keep-alives are enabled | +| `SCANNER_API_SERVER_METRICS_ENABLED` | `true` | Whether to enable metrics | +| `SCANNER_TRIVY_CACHE_DIR` | `/home/scanner/.cache/trivy` | Trivy cache directory | +| `SCANNER_TRIVY_REPORTS_DIR` | `/home/scanner/.cache/reports` | Trivy reports directory | +| `SCANNER_TRIVY_DEBUG_MODE` | `false` | The flag to enable or disable Trivy debug mode | +| `SCANNER_TRIVY_VULN_TYPE` | `os,library` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | +| `SCANNER_TRIVY_SECURITY_CHECKS` | `vuln,config,secret` | comma-separated list of what security issues to detect. Possible values are `vuln`, `config` and `secret`. Defaults to `vuln`. | +| `SCANNER_TRIVY_SEVERITY` | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | Comma-separated list of vulnerabilities severities to be displayed | +| `SCANNER_TRIVY_IGNORE_UNFIXED` | `false` | The flag to display only fixed vulnerabilities | +| `SCANNER_TRIVY_IGNORE_POLICY` | `` | The path for the Trivy ignore policy OPA Rego file | +| `SCANNER_TRIVY_SKIP_UPDATE` | `false` | The flag to disable [Trivy DB] downloads. | +| `SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE` | `false` | The flag to disable [Trivy JAVA DB] downloads. | +| `SCANNER_TRIVY_DB_REPOSITORY` | `mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db` | OCI repositor(ies) to retrieve the trivy vulnerability database from | +| `SCANNER_TRIVY_JAVA_DB_REPOSITORY` | `ghcr.io/aquasecurity/trivy-java-db` | OCI repositor(ies) to retrieve the Java trivy vulnerability database from | +| `SCANNER_TRIVY_OFFLINE_SCAN` | `false` | The flag to disable external API requests to identify dependencies. | +| `SCANNER_TRIVY_GITHUB_TOKEN` | N/A | The GitHub access token to download [Trivy DB] (see [GitHub rate limiting][gh-rate-limit]) | +| `SCANNER_TRIVY_INSECURE` | `false` | The flag to skip verifying registry certificate | +| `SCANNER_TRIVY_TIMEOUT` | `5m0s` | The duration to wait for scan completion | +| `SCANNER_STORE_REDIS_NAMESPACE` | `harbor.scanner.trivy:store` | The namespace for keys in the Redis store | +| `SCANNER_STORE_REDIS_SCAN_JOB_TTL` | `1h` | The time to live for persisting scan jobs and associated scan reports | +| `SCANNER_JOB_QUEUE_REDIS_NAMESPACE` | `harbor.scanner.trivy:job-queue` | The namespace for keys in the scan jobs queue backed by Redis | +| `SCANNER_JOB_QUEUE_WORKER_CONCURRENCY` | `1` | The number of workers to spin-up for the scan jobs queue | +| `SCANNER_REDIS_URL` | `redis://harbor-harbor-redis:6379` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | +| `SCANNER_REDIS_POOL_MAX_ACTIVE` | `5` | The max number of connections allocated by the Redis connection pool | +| `SCANNER_REDIS_POOL_MAX_IDLE` | `5` | The max number of idle connections in the Redis connection pool | +| `SCANNER_REDIS_POOL_IDLE_TIMEOUT` | `5m` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | +| `SCANNER_REDIS_POOL_CONNECTION_TIMEOUT` | `1s` | The timeout for connecting to the Redis server | +| `SCANNER_REDIS_POOL_READ_TIMEOUT` | `1s` | The timeout for reading a single Redis command reply | +| `SCANNER_REDIS_POOL_WRITE_TIMEOUT` | `1s` | The timeout for writing a single Redis command. | +| `HTTP_PROXY` | N/A | The URL of the HTTP proxy server | +| `HTTPS_PROXY` | N/A | The URL of the HTTPS proxy server | +| `NO_PROXY` | N/A | The URLs that the proxy settings do not apply to | ## Documentation diff --git a/helm/harbor-scanner-trivy/Chart.yaml b/helm/harbor-scanner-trivy/Chart.yaml index fa6d066..fbbe4cb 100644 --- a/helm/harbor-scanner-trivy/Chart.yaml +++ b/helm/harbor-scanner-trivy/Chart.yaml @@ -1,7 +1,7 @@ apiVersion: v1 name: harbor-scanner-trivy -version: 0.32.0 -appVersion: 0.32.0 +version: 0.32.1 +appVersion: 0.32.1 description: Harbor scanner adapter for Trivy keywords: - scanner diff --git a/helm/harbor-scanner-trivy/README.md b/helm/harbor-scanner-trivy/README.md index f63159e..bc030f2 100644 --- a/helm/harbor-scanner-trivy/README.md +++ b/helm/harbor-scanner-trivy/README.md @@ -73,51 +73,51 @@ The command removes all the Kubernetes components associated with the chart and The following table lists the configurable parameters of the scanner adapter chart and their default values. -| Parameter | Description | Default | -|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------| -| `image.registry` | Image registry | `docker.io` | -| `image.repository` | Image name | `aquasec/harbor-scanner-trivy` | -| `image.tag` | Image tag | `{TAG_NAME}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `replicaCount` | Number of scanner adapter Pods to run | `1` | -| `scanner.logLevel` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it | `info` | -| `scanner.api.tlsEnabled` | The flag to enable or disable TLS for HTTP | `true` | -| `scanner.api.tlsCertificate` | The absolute path to the x509 certificate file | | -| `scanner.api.tlsKey` | The absolute path to the x509 private key file | | -| `scanner.api.readTimeout` | The maximum duration for reading the entire request, including the body | `15s` | -| `scanner.api.writeTimeout` | The maximum duration before timing out writes of the response | `15s` | -| `scanner.api.idleTimeout` | The maximum amount of time to wait for the next request when keep-alives are enabled | `60s` | -| `scanner.trivy.cacheDir` | Trivy cache directory | `/home/scanner/.cache/trivy` | -| `scanner.trivy.reportsDir` | Trivy reports directory | `/home/scanner/.cache/reports` | -| `scanner.trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | -| `scanner.trivy.vulnType` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | `os,library` | -| `scanner.trivy.ignorepolicy` | The OPA rego script used by Trivy to evaluate each vulnerability | ` ` | -| `scanner.trivy.severity` | Comma-separated list of vulnerabilities severities to be displayed | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | -| `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | -| `scanner.trivy.timeout` | The duration to wait for scan completion | `5m0s` | -| `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | -| `scanner.trivy.skipJavaDBUpdate` | The flag to enable or disable Trivy Java DB downloads from GitHub | `ghcr.io/aquasecurity/trivy-db` | -| `scanner.trivy.dbRepository` | OCI repository to retrieve the trivy vulnerability database from | `ghcr.io/aquasecurity/trivy-java-db` | -| `scanner.trivy.javaDBRepository` | OCI repository to retrieve the Java trivy vulnerability database from | `false` | -| `scanner.trivy.offlineScan` | The flag to disable external API requests to identify dependencies | `false` | -| `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | -| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | -| `scanner.store.redisNamespace` | The namespace for keys in the Redis store | `harbor.scanner.trivy:store` | -| `scanner.store.redisScanJobTTL` | The time to live for persisting scan jobs and associated scan reports | `1h` | -| `scanner.jobQueue.redisNamespace` | The namespace for keys in the scan jobs queue backed by Redis | `harbor.scanner.trivy:job-queue` | -| `scanner.jobQueue.workerConcurrency` | The number of workers to spin-up for a jobs queue | `1` | +| Parameter | Description | Default | +|---------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------| +| `image.registry` | Image registry | `docker.io` | +| `image.repository` | Image name | `aquasec/harbor-scanner-trivy` | +| `image.tag` | Image tag | `{TAG_NAME}` | +| `image.pullPolicy` | Image pull policy | `IfNotPresent` | +| `replicaCount` | Number of scanner adapter Pods to run | `1` | +| `scanner.logLevel` | The log level of `trace`, `debug`, `info`, `warn`, `warning`, `error`, `fatal` or `panic`. The standard logger logs entries with that level or anything above it | `info` | +| `scanner.api.tlsEnabled` | The flag to enable or disable TLS for HTTP | `true` | +| `scanner.api.tlsCertificate` | The absolute path to the x509 certificate file | | +| `scanner.api.tlsKey` | The absolute path to the x509 private key file | | +| `scanner.api.readTimeout` | The maximum duration for reading the entire request, including the body | `15s` | +| `scanner.api.writeTimeout` | The maximum duration before timing out writes of the response | `15s` | +| `scanner.api.idleTimeout` | The maximum amount of time to wait for the next request when keep-alives are enabled | `60s` | +| `scanner.trivy.cacheDir` | Trivy cache directory | `/home/scanner/.cache/trivy` | +| `scanner.trivy.reportsDir` | Trivy reports directory | `/home/scanner/.cache/reports` | +| `scanner.trivy.debugMode` | The flag to enable or disable Trivy debug mode | `false` | +| `scanner.trivy.vulnType` | Comma-separated list of vulnerability types. Possible values are `os` and `library`. | `os,library` | +| `scanner.trivy.ignorepolicy` | The OPA rego script used by Trivy to evaluate each vulnerability | ` ` | +| `scanner.trivy.severity` | Comma-separated list of vulnerabilities severities to be displayed | `UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL` | +| `scanner.trivy.ignoreUnfixed` | The flag to display only fixed vulnerabilities | `false` | +| `scanner.trivy.timeout` | The duration to wait for scan completion | `5m0s` | +| `scanner.trivy.skipUpdate` | The flag to enable or disable Trivy DB downloads from GitHub | `false` | +| `scanner.trivy.skipJavaDBUpdate` | The flag to enable or disable Trivy Java DB downloads from GitHub | `mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db` | +| `scanner.trivy.dbRepository` | OCI repositories to retrieve the trivy vulnerability database from | `mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db` | +| `scanner.trivy.javaDBRepository` | OCI repositories to retrieve the Java trivy vulnerability database from | `false` | +| `scanner.trivy.offlineScan` | The flag to disable external API requests to identify dependencies | `false` | +| `scanner.trivy.gitHubToken` | The GitHub access token to download Trivy DB | | +| `scanner.trivy.insecure` | The flag to skip verifying registry certificate | `false` | +| `scanner.store.redisNamespace` | The namespace for keys in the Redis store | `harbor.scanner.trivy:store` | +| `scanner.store.redisScanJobTTL` | The time to live for persisting scan jobs and associated scan reports | `1h` | +| `scanner.jobQueue.redisNamespace` | The namespace for keys in the scan jobs queue backed by Redis | `harbor.scanner.trivy:job-queue` | +| `scanner.jobQueue.workerConcurrency` | The number of workers to spin-up for a jobs queue | `1` | | `scanner.redis.poolURL` | The Redis server URI. The URI supports schemas to connect to a standalone Redis server, i.e. `redis://:password@standalone_host:port/db-number` and Redis Sentinel deployment, i.e. `redis+sentinel://:password@sentinel_host1:port1,sentinel_host2:port2/monitor-name/db-number`. | -| `scanner.redis.poolMaxActive` | The max number of connections allocated by the Redis connection pool | `5` | -| `scanner.redis.poolMaxIdle` | The max number of idle connections in the Redis connection pool | `5` | -| `scanner.redis.poolIdleTimeout` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | `5m` | -| `scanner.redis.poolConnectionTimeout` | The timeout for connecting to the Redis server | `1s` | -| `scanner.redis.poolReadTimeout` | The timeout for reading a single Redis command reply | `1s` | -| `scanner.redis.poolWriteTimeout` | The timeout for writing a single Redis command | `1s` | -| `service.type` | Kubernetes service type | `ClusterIP` | -| `service.port` | Kubernetes service port | `8080` | -| `httpProxy` | The URL of the HTTP proxy server | | -| `httpsProxy` | The URL of the HTTPS proxy server | | -| `noProxy` | The URLs that the proxy settings do not apply to | | +| `scanner.redis.poolMaxActive` | The max number of connections allocated by the Redis connection pool | `5` | +| `scanner.redis.poolMaxIdle` | The max number of idle connections in the Redis connection pool | `5` | +| `scanner.redis.poolIdleTimeout` | The duration after which idle connections to the Redis server are closed. If the value is zero, then idle connections are not closed. | `5m` | +| `scanner.redis.poolConnectionTimeout` | The timeout for connecting to the Redis server | `1s` | +| `scanner.redis.poolReadTimeout` | The timeout for reading a single Redis command reply | `1s` | +| `scanner.redis.poolWriteTimeout` | The timeout for writing a single Redis command | `1s` | +| `service.type` | Kubernetes service type | `ClusterIP` | +| `service.port` | Kubernetes service port | `8080` | +| `httpProxy` | The URL of the HTTP proxy server | | +| `httpsProxy` | The URL of the HTTPS proxy server | | +| `noProxy` | The URLs that the proxy settings do not apply to | | The above parameters map to the env variables defined in [harbor-scanner-trivy](https://github.com/aquasecurity/harbor-scanner-trivy#configuration). diff --git a/helm/harbor-scanner-trivy/values.yaml b/helm/harbor-scanner-trivy/values.yaml index 7961e64..2810475 100644 --- a/helm/harbor-scanner-trivy/values.yaml +++ b/helm/harbor-scanner-trivy/values.yaml @@ -4,7 +4,7 @@ fullnameOverride: "" image: registry: docker.io repository: goharbor/harbor-scanner-trivy - tag: 0.32.0 + tag: 0.32.1 pullPolicy: IfNotPresent replicaCount: 1 diff --git a/pkg/etc/config.go b/pkg/etc/config.go index 3a51cdc..45f7cc4 100644 --- a/pkg/etc/config.go +++ b/pkg/etc/config.go @@ -34,8 +34,8 @@ type Trivy struct { IgnorePolicy string `env:"SCANNER_TRIVY_IGNORE_POLICY"` SkipDBUpdate bool `env:"SCANNER_TRIVY_SKIP_UPDATE" envDefault:"false"` SkipJavaDBUpdate bool `env:"SCANNER_TRIVY_SKIP_JAVA_DB_UPDATE" envDefault:"false"` - DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-db"` - JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY" envDefault:"ghcr.io/aquasecurity/trivy-java-db"` + DBRepository string `env:"SCANNER_TRIVY_DB_REPOSITORY"` + JavaDBRepository string `env:"SCANNER_TRIVY_JAVA_DB_REPOSITORY"` OfflineScan bool `env:"SCANNER_TRIVY_OFFLINE_SCAN" envDefault:"false"` GitHubToken string `env:"SCANNER_TRIVY_GITHUB_TOKEN"` Insecure bool `env:"SCANNER_TRIVY_INSECURE" envDefault:"false"` diff --git a/pkg/trivy/wrapper_test.go b/pkg/trivy/wrapper_test.go index b39acca..4f0c7f2 100644 --- a/pkg/trivy/wrapper_test.go +++ b/pkg/trivy/wrapper_test.go @@ -155,12 +155,12 @@ func TestWrapper_Scan(t *testing.T) { "--ignore-unfixed", "--skip-db-update", "--skip-java-db-update", + "--ignore-policy", + "/home/scanner/opa/policy.rego", "--db-repository", "ghcr.io/aquasecurity/trivy-db", "--java-db-repository", "ghcr.io/aquasecurity/trivy-java-db", - "--ignore-policy", - "/home/scanner/opa/policy.rego", "--debug", "--insecure", "alpine:3.10.2", diff --git a/test/component/component_test.go b/test/component/component_test.go index f3c0896..dc83161 100644 --- a/test/component/component_test.go +++ b/test/component/component_test.go @@ -26,7 +26,7 @@ var ( trivyScanner = harbor.Scanner{ Name: "Trivy", Vendor: "Aqua Security", - Version: "0.56.1", + Version: "0.57.1", } )