search

goharbor / harbor

An open source trusted cloud native registry project that stores, signs, and scans content.
https://goharbor.io
Apache License 2.0
24.22k stars 4.77k forks source link

bump needed for trivy to v0.57.1 in harbor-scanner-trivy #21223

Open stgdns opened 2 days ago

stgdns commented 2 days ago

Hello everyone,

I'm proposing that trivy is updated to v0.57.1 in harbor-scanner-trivy.

Reason: trivy scanner is not usable since quite a while because the vuln-db download constantly fails, because of github rate-limiting at the organization level ("aquasecurity"), see: https://github.com/aquasecurity/trivy/issues/7938

fixed in version: trivy to v0.57.1

If this is not possible, then maybe the PR https://github.com/goharbor/harbor-scanner-trivy/pull/7 could be merged and the helm chart at https://helm.goharbor.io updated, to allow setting the vuln-db URLs manually.

PS: since recently the new home of harbor-scanner-trivy is: https://github.com/goharbor/harbor-scanner-trivy

benji78 commented 1 day ago

Technically harbor v2.11.2 now contains harbor-scanner-trivy v0.32.0 (= trivy v0.56.1) So you can already set SCANNER_TRIVY_DB_REPOSITORY and SCANNER_TRIVY_JAVA_DB_REPOSITORY environment variables to manually change the vulnerability database repositories (multiple db repositories should work). This is not yet the case of harbor v2.12.0 (which only contains harbor-scanner-trivy v0.31.4 (= trivy v0.54.1))

If you use the helm chart, version 1.16.0 (harbor v2.12.0) has been updated with trivy-adapter-photon v2.12.0 (= harbor-scanner-trivy v0.32.0 = trivy v0.56.1) so you can set the environment variables directly in the chart's values:

    trivy:
      extraEnvVars:
        - name: SCANNER_TRIVY_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db
        - name: SCANNER_TRIVY_JAVA_DB_REPOSITORY
          value: mirror.gcr.io/aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db

For previous versions, you can change the image version in the chart values (untested):

    trivy:
      image:
        tag: v2.12.0

For the new trivy defaults, an upgrade to trivy v0.57.1 is indeed necessary unless I hard code them in harbor-scanner-trivy#7 and it is merged.

dan-m8t commented 2 hours ago

Just for clearance @benji78 - I recently updated Harbor to 2.12.0 because of the first trivy fix a few weeks ago. Trivy adapter reports 0.56.1 as trivy version, so I would assume that this solution also works for 2.12?

scanner [ / ]$ trivy -v
Version: 0.56.1
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-11-21 18:16:43.863577371 +0000 UTC
  NextUpdate: 2024-11-22 18:16:43.86357697 +0000 UTC
  DownloadedAt: 2024-11-21 21:46:14.990881268 +0000 UTC
Java DB:
  Version: 1
  UpdatedAt: 2024-11-22 02:45:24.819418998 +0000 UTC
  NextUpdate: 2024-11-25 02:45:24.819418878 +0000 UTC
  DownloadedAt: 2024-11-22 09:01:38.827602395 +0000 UTC

goharbor/trivy-adapter-photon:v2.12.0 is what I use (docker-compose setup)