Skip to content

Commit

Permalink
fix: add option to change java db repository (aquasecurity#1179)
Browse files Browse the repository at this point in the history 
* fix: add java db repository options to client/server mode

* test: add / update tests for java db repository option

* docs: add new java db repository option

* style: reuse construct env var methods

the two methods already exist, so let's migrate the env vars to also use them, as it reduces repetition quite a lot
  • Loading branch information
Alexej Disterhoft authored Apr 24, 2023
1 parent dc3e781 commit 01235e7
Show file tree
Hide file tree
Showing 14 changed files with 1,085 additions and 532 deletions.
171 changes: 86 additions & 85 deletions deploy/helm/README.md
View file

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions deploy/helm/templates/config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,7 @@ data:
trivy.severity: {{ .Values.trivy.severity | quote }}
trivy.slow: {{ .Values.trivy.slow | quote }}
trivy.dbRepository: "{{ .Values.trivy.dbRegistry }}/{{ .Values.trivy.dbRepository }}"
trivy.javaDbRepository: "{{ .Values.trivy.javaDbRegistry }}/{{ .Values.trivy.javaDbRepository }}"
trivy.command: {{ .Values.trivy.command | quote }}
{{- if .Values.trivy.skipDirs }}
trivy.skipDirs: {{ .Values.trivy.skipDirs | quote }}
Expand Down
5 changes: 4 additions & 1 deletion deploy/helm/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,6 @@ trivyOperator:
# labeled with. Example: `foo=bar,env=stage` will labeled the reports with the labels `foo: bar` and `env: stage`
additionalReportLabels: ""


trivy:
# createConfig indicates whether to create config objects
createConfig: true
Expand Down Expand Up @@ -356,6 +355,10 @@ trivy:
dbRegistry: "ghcr.io"
dbRepository: "aquasecurity/trivy-db"

# javaDbRegistry is the registry for the Java vulnerability database.
javaDbRegistry: "ghcr.io"
javaDbRepository: "aquasecurity/trivy-java-db"

# The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env)
#
dbRepositoryInsecure: "false"
Expand Down
1 change: 1 addition & 0 deletions deploy/static/trivy-operator.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1832,6 +1832,7 @@ data:
trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
trivy.slow: "true"
trivy.dbRepository: "ghcr.io/aquasecurity/trivy-db"
trivy.javaDbRepository: "ghcr.io/aquasecurity/trivy-java-db"
trivy.command: "image"
trivy.dbRepositoryInsecure: "false"
trivy.useBuiltinRegoPolicies: "true"
Expand Down
7 changes: 4 additions & 3 deletions docs/docs/vulnerability-scanning/trivy.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,7 @@ EOF
| `trivy.tag` | `0.36.0` | Version of the Trivy image |
| `trivy.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy image from private registries example: `reg-secret`. It is the user responsibility to create the secret for the private registry in `trivy-operator` namespace. |
| `trivy.dbRepository` | `ghcr.io/aquasecurity/trivy-db` | External OCI Registry to download the vulnerability database |
| `trivy.javaDbRepository` | `ghcr.io/aquasecurity/trivy-java-db` | External OCI Registry to download the vulnerability database for Java |
| `trivy.dbRepositoryInsecure` | `false` | The Flag to enable insecure connection for downloading trivy-db via proxy (air-gaped env) |
| `trivy.mode` | `Standalone` | Trivy client mode. Either `Standalone` or `ClientServer`. Depending on the active mode other settings might be applicable or required. |
| `additionalVulnerabilityReportFields` | N/A | A comma separated list of additional fields which can be added to the VulnerabilityReport. Possible values: `Description,Links,CVSS,Target,Class,PackageType`. Description will add more data about vulnerability. Links - all the references to a specific vulnerability. CVSS - data about CVSSv2/CVSSv3 scoring and vectors. Target - vulnerable element. Class - OS or library vulnerability |
Expand All @@ -95,7 +96,7 @@ EOF
| `trivy.timeout` | `5m0s` | The duration to wait for scan completion |
| `trivy.serverURL` | N/A | The endpoint URL of the Trivy server. Required in `ClientServer` mode. |
| `node.collector.imageRef` | ghcr.io/aquasecurity/node-collector:0.0.6 | The imageRef use for node-collector job . |
| `node.collector.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy node-collector from private registries . |
| `node.collector.imagePullSecret` | N/A | imagePullSecret is the secret name to be used when pulling trivy node-collector from private registries . |
| `trivy.serverTokenHeader` | `Trivy-Token` | The name of the HTTP header to send the authentication token to Trivy server. Only application in `ClientServer` mode when `trivy.serverToken` is specified. |
| `trivy.serverInsecure` | N/A | The Flag to enable insecure connection to the Trivy server. |
| `trivy.insecureRegistry.<id>` | N/A | The registry to which insecure connections are allowed. There can be multiple registries with different registry `<id>`. |
Expand All @@ -106,10 +107,10 @@ EOF
| `trivy.noProxy` | N/A | A comma separated list of IPs and domain names that are not subject to proxy settings. |
| `trivy.resources.requests.cpu` | `100m` | The minimum amount of CPU required to run Trivy scanner pod. |
| `trivy.resources.requests.memory` | `100M` | The minimum amount of memory required to run Trivy scanner pod. |
| `trivy.resources.requests.ephemeral-storage` | `` | The minimum amount of ephemeral-storage required to run Trivy scanner pod. |
| `trivy.resources.requests.ephemeral-storage` | `` | The minimum amount of ephemeral-storage required to run Trivy scanner pod. |
| `trivy.resources.limits.cpu` | `500m` | The maximum amount of CPU allowed to run Trivy scanner pod. |
| `trivy.resources.limits.memory` | `500M` | The maximum amount of memory allowed to run Trivy scanner pod. |
| `trivy.resources.limits.ephemeral-storage` | `` | The maximum amount of ephemeral-storage allowed to run Trivy scanner pod. |
| `trivy.resources.limits.ephemeral-storage` | `` | The maximum amount of ephemeral-storage allowed to run Trivy scanner pod. |
| `trivy.storageClassName` | `` | The name of the storage class to be used for Trivy server PVC. |
| `trivy.podLabels` | `` | The extra pod labels to be used for Trivy server. |
| `trivy.priorityClassName` | `` | PriorityClassName is the name of the priority class used for trivy server. |
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/cronjob-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/daemonset-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/job-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/pod-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/replicaset-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/replicationcontroller-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
6 changes: 6 additions & 0 deletions pkg/operator/envtest/testdata/fixture/statefulset-expected-scan.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,12 @@ spec:
key: trivy.offlineScan
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_JAVA_DB_REPOSITORY
valueFrom:
configMapKeyRef:
key: trivy.javaDbRepository
name: trivy-operator-trivy-config
optional: true
- name: TRIVY_TIMEOUT
valueFrom:
configMapKeyRef:
Expand Down
Loading

0 comments on commit 01235e7

Please sign in to comment.