search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
913 stars 96 forks source link

[Feat]: allow configuration of trivy database url for download #2298

Open trefzer opened 7 months ago

trefzer commented 7 months ago

Is your feature request related to a problem? Please describe.

I have a zot registry without internet connectivity. but like the cve database scan.

Describe the solution you'd like

add an option in the config file to allow specify a custom url for the download of the database.

Describe alternatives you've considered

No response

Additional context

No response

rchincha commented 7 months ago

@trefzer I suppose this is for airgapped use case. However note that CVEs are a moving target, so how does this db get updated in the first place?

trefzer commented 7 months ago

db updates go through an internal url (either a proxy or a cron which does the download regularly). As far as I see the URL is already a constant in the code but I did not find a way to change it in config.

andaaron commented 7 months ago

Hi @trefzer, it is not hardcoded/constant, we already have this configuration option, but we did not advertise it.

For example if you want to use a custom url for the trivy-db, and the default value for the java vulnerability DB, which are different artifacts.

        "search": {
            "enable": true,
            "cve": {
                "updateInterval": "2h",
                "trivy": {"javadbrepository": "", "dbrepository": "ghcr.io/project-zot/trivy-db"}
            }
        },

Note these DBs are actually artifacts which trivy downloads internally using an oras library. Default trivy DB being ghcr.io/aquasecurity/trivy-db, pointing to https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db, and default trivy java DB ghcr.io/aquasecurity/trivy-java-db, pointing to https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-java-db

trefzer commented 7 months ago

@andaaron thanks for fast answer oh great. or even better ! Like this I can use my usual container update skript to update the db (eg skopeo) in local zot and point the dbs to localhost zot ;) The only problem I have now is, that it tries to use https and currently my zott is only http do I have to use https or is it possible to switch to http ? Can a username password be specified for download ? (currently not needed, but would be nice)

andaaron commented 7 months ago

Hi @trefzer, theoretically the http/https switch and credentials could be tweaked by setting them in this object: https://github.com/project-zot/zot/blob/main/pkg/extensions/search/cve/trivy/scanner.go#L551.

Would you like to give it a shot and provide a PR to add those configuration options and passing them to the trivy library? The credentials should be saved separately in another configuration file, and the path to that file should be included in the zot config.

fsdrw08 commented 5 months ago

Hi @trefzer, theoretically the http/https switch and credentials could be tweaked by setting them in this object: https://github.com/project-zot/zot/blob/main/pkg/extensions/search/cve/trivy/scanner.go#L551.

Would you like to give it a shot and provide a PR to add those configuration options and passing them to the trivy library? The credentials should be saved separately in another configuration file, and the path to that file should be included in the zot config.

I running the zot with https cert, I would like to choose the solution describe by https://github.com/project-zot/zot/issues/2298#issuecomment-1978548624 , upload the trivy db into zot itself as a oci artifact, then let zot itself download it, may I know how to make zot trust the self sign cert?

According to the describe in Mutual TLS authentication, seems that the cacert attribute will also enable the mtls, but I don't want mtls, I just need zot trust the cert itself to download that oci artifact.

ok, I got it, regarding to the func IsMTLSAuthEnabled, it seems mtls is the last option for the auth method, and I enabled LDAP auth, so mlts auth will disabled here https://github.com/project-zot/zot/blob/main/pkg/api/controller.go#L188-L192

fsdrw08 commented 5 months ago

but I still failed to download the self host trivy-db, it shows 

 tls: failed to verify certificate: x509: certificate signed by unknown authority\n\n"

update: ok, I understand the we can set an env var SSL_CERT_DIR to make trivy trust root ca under the that env var's dir https://github.com/aquasecurity/trivy/issues/4169
and also need to set up http.accessControl.repositories.**.anonymousPolicy to read in the config.json