aquasecurity · chen-keinan · Aug 21, 2023 · Aug 17, 2023 · Aug 17, 2023 · Aug 17, 2023
diff --git a/deploy/helm/README.md b/deploy/helm/README.md
@@ -131,6 +131,7 @@ Keeps security report resources updated
 | trivy.serverUser | string | `""` | serverUser this param is the server user to be used to download db from private registry |
 | trivy.severity | string | `"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"` | severity is a comma separated list of severity levels reported by Trivy. |
 | trivy.skipDirs | string | `nil` | a comma separated list of directories for Trivy to skip |
+| trivy.skipJavaDBUpdate | bool | `false` | skipJavaDBUpdate is the flag to enable skip Java index databases update for Trivy client. |
 | trivy.slow | bool | `true` | slow this flag is to use less CPU/memory for scanning though it takes more time than normal scanning. It fits small-footprint |
 | trivy.sslCertDir | string | `nil` | sslCertDir can be used to override the system default locations for SSL certificate files directory, example: /ssl/certs |
 | trivy.storageClassName | string | `""` | storageClassName is the name of the storage class to be used for trivy server PVC |

diff --git a/deploy/helm/templates/config.yaml b/deploy/helm/templates/config.yaml
@@ -126,6 +126,7 @@ data:
   {{- end }}
   trivy.severity: {{ .Values.trivy.severity | quote }}
   trivy.slow: {{ .Values.trivy.slow | quote }}
+  trivy.skipJavaDBUpdate: {{ .Values.trivy.skipJavaDBUpdate | quote }}
   trivy.dbRepository: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}"
   trivy.javaDbRepository: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}"
   trivy.command: {{ .Values.trivy.command | quote }}

diff --git a/deploy/helm/values.yaml b/deploy/helm/values.yaml
@@ -367,6 +367,9 @@ trivy:
   # Only applicable in ClientServer mode.
   clientServerSkipUpdate: false
 
+  # -- skipJavaDBUpdate is the flag to enable skip Java index databases update for Trivy client.
+  skipJavaDBUpdate: false
+
   # -- serverInsecure is the flag to enable insecure connection to the Trivy server.
   serverInsecure: false
 

diff --git a/deploy/static/trivy-operator.yaml b/deploy/static/trivy-operator.yaml
@@ -2170,6 +2170,7 @@ data:
   trivy.additionalVulnerabilityReportFields: ""
   trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
   trivy.slow: "true"
+  trivy.skipJavaDBUpdate: "false"
   trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
   trivy.javaDbRepository: "ghcr.io/aquasecurity/trivy-java-db"
   trivy.command: "image"

diff --git a/pkg/operator/envtest/testdata/fixture/cronjob-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/cronjob-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_hello.json &&  bzip2 -c /tmp/scan/result_hello.json | base64
+            - trivy image --slow 'busybox:1.28' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_hello.json &&  bzip2 -c /tmp/scan/result_hello.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/operator/envtest/testdata/fixture/daemonset-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/daemonset-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_fluentd-elasticsearch.json &&  bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64
+            - trivy image --slow 'quay.io/fluentd_elasticsearch/fluentd:v2.5.2' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_fluentd-elasticsearch.json &&  bzip2 -c /tmp/scan/result_fluentd-elasticsearch.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/operator/envtest/testdata/fixture/job-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/job-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_pi.json &&  bzip2 -c /tmp/scan/result_pi.json | base64
+            - trivy image --slow 'perl:5.34' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_pi.json &&  bzip2 -c /tmp/scan/result_pi.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/operator/envtest/testdata/fixture/pod-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/pod-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_app.json &&  bzip2 -c /tmp/scan/result_app.json | base64
+            - trivy image --slow 'app-image:app-image-tag' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_app.json &&  bzip2 -c /tmp/scan/result_app.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/operator/envtest/testdata/fixture/replicaset-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/replicaset-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_wordpress.json &&  bzip2 -c /tmp/scan/result_wordpress.json | base64
+            - trivy image --slow 'wordpress:4.9' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_wordpress.json &&  bzip2 -c /tmp/scan/result_wordpress.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/operator/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_nginx.json &&  bzip2 -c /tmp/scan/result_nginx.json | base64
+            - trivy image --slow 'nginx' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_nginx.json &&  bzip2 -c /tmp/scan/result_nginx.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/operator/envtest/testdata/fixture/statefulset-expected-scan.yaml b/pkg/operator/envtest/testdata/fixture/statefulset-expected-scan.yaml
@@ -47,7 +47,7 @@ spec:
       containers:
         - args:
             - -c
-            - trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret   --skip-update --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_nginx.json &&  bzip2 -c /tmp/scan/result_nginx.json | base64
+            - trivy image --slow 'k8s.gcr.io/nginx-slim:0.8' --security-checks vuln,secret --image-config-scanners secret   --skip-update  --cache-dir /tmp/trivy/.cache --quiet  --format json > /tmp/scan/result_nginx.json &&  bzip2 -c /tmp/scan/result_nginx.json | base64
           command:
             - /bin/sh
           env:

diff --git a/pkg/plugins/trivy/flags.go b/pkg/plugins/trivy/flags.go
@@ -24,7 +24,7 @@ func Slow(c Config) string {
 	if err != nil {
 		return ""
 	}
-	// support backward competability with older tags
+	// support backward compatibility with older tags
 	if compareTagVersion(tag, "< 0.35.0") {
 		return ""
 	}
@@ -40,7 +40,7 @@ func Scanners(c Config) string {
 	if err != nil {
 		return "--scanners"
 	}
-	// support backward competability with older tags
+	// support backward compatibility with older tags
 	if compareTagVersion(tag, "< 0.37.0") {
 		return "--security-checks"
 	}
@@ -53,20 +53,36 @@ func SkipDBUpdate(c Config) string {
 	if err != nil {
 		return "--skip-db-update"
 	}
-	// support backward competability with older tags
+	// support backward compatibility with older tags
 	if compareTagVersion(tag, "< 0.37.0") {
 		return "--skip-update"
 	}
 	return "--skip-db-update"
 }
 
+// SkipJavaDBUpdate skip update flag
+func SkipJavaDBUpdate(c Config) string {
+	if c.GetSkipJavaDBUpdate() {
+		tag, err := c.GetImageTag()
+		if err != nil {
+			return "--skip-java-db-update"
+		}
+		// support backward compatibility with older tags
+		if compareTagVersion(tag, "< 0.37.0") {
+			return ""
+		}
+		return "--skip-java-db-update"
+	}
+	return ""
+}
+
 // MultiSecretSupport validate if trivy multi secret support
 func MultiSecretSupport(c Config) bool {
 	tag, err := c.GetImageTag()
 	if err != nil {
 		return true
 	}
-	// support backward competability with older tags
+	// support backward compatibility with older tags
 	if compareTagVersion(tag, "< 0.38.0") {
 		return false
 	}

diff --git a/pkg/plugins/trivy/flags_test.go b/pkg/plugins/trivy/flags_test.go
@@ -126,7 +126,7 @@ func TestSkipDBUpdate(t *testing.T) {
 			want: "--skip-db-update",
 		},
 		{
-			name: "skip update DB with trivy tag higher then v0.38.0",
+			name: "skip update DB with trivy tag higher then v0.37.0",
 			configData: map[string]string{
 				"trivy.tag": "0.38.0",
 			},
@@ -145,3 +145,56 @@ func TestSkipDBUpdate(t *testing.T) {
 		})
 	}
 }
+
+func TestSkipJavaDBUpdate(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configData trivyoperator.ConfigData
+		want       string
+	}{
+		{
+			name: "skip update Java DB with trivy tag lower then v0.37.0",
+			configData: map[string]string{
+				"trivy.skipJavaDBUpdate": "true",
+				"trivy.tag":              "0.36.0",
+			},
+			want: "",
+		},
+		{
+			name: "skip update Java DB with trivy tag equal to v0.37.0",
+			configData: map[string]string{
+				"trivy.skipJavaDBUpdate": "true",
+				"trivy.tag":              "0.37.0",
+			},
+			want: "--skip-java-db-update",
+		},
+		{
+			name: "skip update Java DB with trivy tag higher then v0.37.0",
+			configData: map[string]string{
+				"trivy.skipJavaDBUpdate": "true",
+				"trivy.tag":              "0.38.0",
+			},
+			want: "--skip-java-db-update",
+		},
+		{
+			name: "skip update Java DB with no trivy tag",
+			configData: map[string]string{
+				"trivy.skipJavaDBUpdate": "true",
+			},
+			want: "--skip-java-db-update",
+		},
+		{
+			name: "skip update Java DB with skip false",
+			configData: map[string]string{
+				"trivy.skipJavaDBUpdate": "false",
+			},
+			want: "",
+		},
+	}
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			got := trivy.SkipJavaDBUpdate(trivy.Config{trivyoperator.PluginConfig{Data: tc.configData}})
+			assert.Equal(t, got, tc.want)
+		})
+	}
+}
diff --git a/pkg/plugins/trivy/plugin.go b/pkg/plugins/trivy/plugin.go
@@ -85,6 +85,7 @@ const (
 
 	keyTrivyServerURL              = "trivy.serverURL"
 	keyTrivyClientServerSkipUpdate = "trivy.clientServerSkipUpdate"
+	keyTrivySkipJavaDBUpdate       = "trivy.skipJavaDBUpdate"
 	// nolint:gosec // This is not a secret, but a configuration value.
 	keyTrivyServerTokenHeader = "trivy.serverTokenHeader"
 	keyTrivyServerInsecure    = "trivy.serverInsecure"
@@ -251,6 +252,18 @@ func (c Config) GetClientServerSkipUpdate() bool {
 	return boolVal
 }
 
+func (c Config) GetSkipJavaDBUpdate() bool {
+	val, ok := c.Data[keyTrivySkipJavaDBUpdate]
+	if !ok {
+		return false
+	}
+	boolVal, err := strconv.ParseBool(val)
+	if err != nil {
+		return false
+	}
+	return boolVal
+}
+
 func (c Config) GetServerInsecure() bool {
 	_, ok := c.Data[keyTrivyServerInsecure]
 	return ok
@@ -1129,6 +1142,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 		return []string{}, []string{}
 	}
 	slow := Slow(c)
+	skipJavaDBUpdate := SkipJavaDBUpdate(c)
 	vulnTypeArgs := p.vulnTypeFilter(ctx)
 	scanners := Scanners(c)
 	var vulnTypeFlag string
@@ -1154,6 +1168,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 				scanners,
 				getSecurityChecks(ctx),
 				skipUpdate,
+				skipJavaDBUpdate,
 				"--format",
 				"json",
 				"--server",
@@ -1175,7 +1190,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 			}
 			return command, args
 		}
-		return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json --server '%s' > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, getPkgList(ctx), trivyServerURL, resultFileName, resultFileName)}
+		return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json --server '%s' > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, getPkgList(ctx), trivyServerURL, resultFileName, resultFileName)}
 	}
 	skipUpdate = SkipDBUpdate(c)
 	if !compressLogs {
@@ -1187,6 +1202,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 			scanners,
 			getSecurityChecks(ctx),
 			skipUpdate,
+			skipJavaDBUpdate,
 			"--format",
 			"json",
 			imageRef,
@@ -1206,7 +1222,7 @@ func (p *plugin) getCommandAndArgs(ctx trivyoperator.PluginContext, mode Mode, i
 		}
 		return command, args
 	}
-	return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, getPkgList(ctx), resultFileName, resultFileName)}
+	return []string{"/bin/sh"}, []string{"-c", fmt.Sprintf(`trivy image %s '%s' %s %s %s %s %s %s --cache-dir /tmp/trivy/.cache --quiet %s --format json > /tmp/scan/%s &&  bzip2 -c /tmp/scan/%s | base64`, slow, imageRef, scanners, getSecurityChecks(ctx), imageconfigSecretScannerFlag, vulnTypeFlag, skipUpdate, skipJavaDBUpdate, getPkgList(ctx), resultFileName, resultFileName)}
 }
 
 func (p *plugin) vulnTypeFilter(ctx trivyoperator.PluginContext) []string {