Open trefzer opened 7 months ago
@trefzer I suppose this is for airgapped use case. However note that CVEs are a moving target, so how does this db get updated in the first place?
db updates go through an internal url (either a proxy or a cron which does the download regularly). As far as I see the URL is already a constant in the code but I did not find a way to change it in config.
Hi @trefzer, it is not hardcoded/constant, we already have this configuration option, but we did not advertise it.
For example if you want to use a custom url for the trivy-db
, and the default value for the java vulnerability DB, which are different artifacts.
"search": {
"enable": true,
"cve": {
"updateInterval": "2h",
"trivy": {"javadbrepository": "", "dbrepository": "ghcr.io/project-zot/trivy-db"}
}
},
Note these DBs are actually artifacts which trivy downloads internally using an oras library.
Default trivy DB being ghcr.io/aquasecurity/trivy-db
, pointing to https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db, and default trivy java DB ghcr.io/aquasecurity/trivy-java-db
, pointing to https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-java-db
@andaaron thanks for fast answer oh great. or even better ! Like this I can use my usual container update skript to update the db (eg skopeo) in local zot and point the dbs to localhost zot ;) The only problem I have now is, that it tries to use https and currently my zott is only http do I have to use https or is it possible to switch to http ? Can a username password be specified for download ? (currently not needed, but would be nice)
Hi @trefzer, theoretically the http/https switch and credentials could be tweaked by setting them in this object: https://github.com/project-zot/zot/blob/main/pkg/extensions/search/cve/trivy/scanner.go#L551.
Would you like to give it a shot and provide a PR to add those configuration options and passing them to the trivy library? The credentials should be saved separately in another configuration file, and the path to that file should be included in the zot config.
Hi @trefzer, theoretically the http/https switch and credentials could be tweaked by setting them in this object: https://github.com/project-zot/zot/blob/main/pkg/extensions/search/cve/trivy/scanner.go#L551.
Would you like to give it a shot and provide a PR to add those configuration options and passing them to the trivy library? The credentials should be saved separately in another configuration file, and the path to that file should be included in the zot config.
I running the zot with https cert, I would like to choose the solution describe by https://github.com/project-zot/zot/issues/2298#issuecomment-1978548624 , upload the trivy db into zot itself as a oci artifact, then let zot itself download it, may I know how to make zot trust the self sign cert?
According to the describe in Mutual TLS authentication, seems that the cacert attribute will also enable the mtls, but I don't want mtls, I just need zot trust the cert itself to download that oci artifact.
ok, I got it, regarding to the func IsMTLSAuthEnabled, it seems mtls is the last option for the auth method, and I enabled LDAP auth, so mlts auth will disabled here https://github.com/project-zot/zot/blob/main/pkg/api/controller.go#L188-L192
but I still failed to download the self host trivy-db, it shows
tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n"
update:
ok, I understand the we can set an env var SSL_CERT_DIR
to make trivy trust root ca under the that env var's dir
https://github.com/aquasecurity/trivy/issues/4169
and also need to set up http.accessControl.repositories.**.anonymousPolicy to read in the config.json
Is your feature request related to a problem? Please describe.
I have a zot registry without internet connectivity. but like the cve database scan.
Describe the solution you'd like
add an option in the config file to allow specify a custom url for the download of the database.
Describe alternatives you've considered
No response
Additional context
No response