gitea-mirror/trivy
1
0
Fork 0
mirror of https://github.com/aquasecurity/trivy.git synced 2025-12-21 06:43:05 -08:00
Code Issues Packages Projects Releases Wiki Activity

feat: Update registry fallbacks (#7679)

Browse Source 
Co-authored-by: DmitriyLewen <dmitriy.lewen@smartforce.io>
This commit is contained in:
simar7
2024-11-18 01:48:58 -07:00
committed by GitHub
parent 07915da481
commit 5ba9a83a44
15 changed files with 62 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
docs/docs/configuration/db.md
View File

@@ -92,6 +92,19 @@ You can reference the OCI manifest of [trivy-db].
`trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`. `trivy-db-registry:latest` => `trivy-db-registry:latest`, but `trivy-db-registry` => `trivy-db-registry:2`.
### Rate limits
Trivy hosts its databases on public OCI registries that are subject to their respective rate limits. While we strive to make the databases available to every
Trivy user, there are certain recommendations that one can make in order to ensure rate limits are not hit.
#### Authenticated use of Registries
By authenticating with the registries that Trivy hosts its DBs on can significantly increase the limit for users. For Amazon ECR, the details for rate limits can be found [ecr-limits].
Please see more info on how to authenticate with ECR [auth-ecr].
#### Caching DBs
Trivy DB and Trivy Java DB are published every 6 hours and 24 hours, respectively. If you are running Trivy scans more often than this, you can significantly benefit from caching the DBs on each run and updating them as needed.
Once example of this can be seen in Trivy Action, where with caching multiple CI invocations can be performed with a single download of the DBs. More on info Trivy Action caching can be found [trivy-action-cache].
## Java Index Database ## Java Index Database
The same options are also available for the Java index DB, which is used for scanning Java applications. The same options are also available for the Java index DB, which is used for scanning Java applications.
Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB. Skipping an update can be done by using the `--skip-java-db-update` option, while `--download-java-db-only` can be used to only download the Java index DB.
@@ -123,4 +136,7 @@ $ trivy clean --vuln-db --java-db
``` ```
[trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db [trivy-db]: https://github.com/aquasecurity/trivy-db/pkgs/container/trivy-db
[trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db [trivy-java-db]: https://github.com/aquasecurity/trivy-java-db/pkgs/container/trivy-java-db
[ecr-limits]: https://docs.aws.amazon.com/AmazonECR/latest/public/public-service-quotas.html
[auth-ecr]: https://aws.amazon.com/blogs/compute/authenticating-amazon-ecr-repositories-for-docker-cli-with-credential-helper/
[trivy-action-cache]: https://github.com/aquasecurity/trivy-action?tab=readme-ov-file#cache

4
docs/docs/references/configuration/cli/trivy_filesystem.md
View File

@@ -29,7 +29,7 @@ trivy filesystem [flags] PATH
--config-data strings specify paths from which data for the Rego checks will be recursively loaded --config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode --custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy filesystem [flags] PATH
--include-deprecated-checks include deprecated checks --include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig' --include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9) --license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files --license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability

4
docs/docs/references/configuration/cli/trivy_image.md
View File

@@ -43,7 +43,7 @@ trivy image [flags] IMAGE_NAME
--config-data strings specify paths from which data for the Rego checks will be recursively loaded --config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode --custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
@@ -74,7 +74,7 @@ trivy image [flags] IMAGE_NAME
--include-deprecated-checks include deprecated checks --include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig' --include-non-failures include successes, available with '--scanners misconfig'
--input string input file path instead of image name --input string input file path instead of image name
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9) --license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files --license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability

4
docs/docs/references/configuration/cli/trivy_kubernetes.md
View File

@@ -38,7 +38,7 @@ trivy kubernetes [flags] [CONTEXT]
--config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files --config-check strings specify the paths to the Rego check files or to the directories containing them, applying config files
--config-data strings specify paths from which data for the Rego checks will be recursively loaded --config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
@@ -70,7 +70,7 @@ trivy kubernetes [flags] [CONTEXT]
--include-kinds strings indicate the kinds included in scanning (example: node) --include-kinds strings indicate the kinds included in scanning (example: node)
--include-namespaces strings indicate the namespaces included in scanning (example: kube-system) --include-namespaces strings indicate the namespaces included in scanning (example: kube-system)
--include-non-failures include successes, available with '--scanners misconfig' --include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0) --k8s-version string specify k8s version to validate outdated api by it (example: 1.21.0)
--kubeconfig string specify the kubeconfig file path to use --kubeconfig string specify the kubeconfig file path to use
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability

4
docs/docs/references/configuration/cli/trivy_repository.md
View File

@@ -29,7 +29,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--config-data strings specify paths from which data for the Rego checks will be recursively loaded --config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode --custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
@@ -56,7 +56,7 @@ trivy repository [flags] (REPO_PATH | REPO_URL)
--include-deprecated-checks include deprecated checks --include-deprecated-checks include deprecated checks
--include-dev-deps include development dependencies in the report (supported: npm, yarn) --include-dev-deps include development dependencies in the report (supported: npm, yarn)
--include-non-failures include successes, available with '--scanners misconfig' --include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9) --license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files --license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability

4
docs/docs/references/configuration/cli/trivy_rootfs.md
View File

@@ -31,7 +31,7 @@ trivy rootfs [flags] ROOTDIR
--config-data strings specify paths from which data for the Rego checks will be recursively loaded --config-data strings specify paths from which data for the Rego checks will be recursively loaded
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode --custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
@@ -58,7 +58,7 @@ trivy rootfs [flags] ROOTDIR
--ignorefile string specify .trivyignore file (default ".trivyignore") --ignorefile string specify .trivyignore file (default ".trivyignore")
--include-deprecated-checks include deprecated checks --include-deprecated-checks include deprecated checks
--include-non-failures include successes, available with '--scanners misconfig' --include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--license-confidence-level float specify license classifier's confidence level (default 0.9) --license-confidence-level float specify license classifier's confidence level (default 0.9)
--license-full eagerly look for licenses in source code headers and license files --license-full eagerly look for licenses in source code headers and license files
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability

4
docs/docs/references/configuration/cli/trivy_sbom.md
View File

@@ -24,7 +24,7 @@ trivy sbom [flags] SBOM_PATH
--cache-ttl duration cache TTL when using redis as cache backend --cache-ttl duration cache TTL when using redis as cache backend
--compliance string compliance report to generate --compliance string compliance report to generate
--custom-headers strings custom headers in client mode --custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
- "comprehensive": Aims to detect more security findings at the cost of potential false positives. - "comprehensive": Aims to detect more security findings at the cost of potential false positives.
@@ -41,7 +41,7 @@ trivy sbom [flags] SBOM_PATH
--ignore-unfixed display only fixed vulnerabilities --ignore-unfixed display only fixed vulnerabilities
--ignored-licenses strings specify a list of license to ignore --ignored-licenses strings specify a list of license to ignore
--ignorefile string specify .trivyignore file (default ".trivyignore") --ignorefile string specify .trivyignore file (default ".trivyignore")
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability
--no-progress suppress progress bar --no-progress suppress progress bar
--offline-scan do not issue API requests to identify dependencies --offline-scan do not issue API requests to identify dependencies

2
docs/docs/references/configuration/cli/trivy_server.md
View File

@@ -22,7 +22,7 @@ trivy server [flags]
``` ```
--cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs") --cache-backend string [EXPERIMENTAL] cache backend (e.g. redis://localhost:6379) (default "fs")
--cache-ttl duration cache TTL when using redis as cache backend --cache-ttl duration cache TTL when using redis as cache backend
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--download-db-only download/update vulnerability database but don't run a scan --download-db-only download/update vulnerability database but don't run a scan
--enable-modules strings [EXPERIMENTAL] module names to enable --enable-modules strings [EXPERIMENTAL] module names to enable
-h, --help help for server -h, --help help for server

4
docs/docs/references/configuration/cli/trivy_vm.md
View File

@@ -27,7 +27,7 @@ trivy vm [flags] VM_IMAGE
--compliance string compliance report to generate --compliance string compliance report to generate
--config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking --config-file-schemas strings specify paths to JSON configuration file schemas to determine that a file matches some configuration and pass the schema to Rego checks for type checking
--custom-headers strings custom headers in client mode --custom-headers strings custom headers in client mode
--db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [ghcr.io/aquasecurity/trivy-db:2]) --db-repository strings OCI repository(ies) to retrieve trivy-db in order of priority (default [mirror.gcr.io/aquasec/trivy-db:2,ghcr.io/aquasecurity/trivy-db:2])
--dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages --dependency-tree [EXPERIMENTAL] show dependency origin tree of vulnerable packages
--detection-priority string specify the detection priority: --detection-priority string specify the detection priority:
- "precise": Prioritizes precise by minimizing false positives. - "precise": Prioritizes precise by minimizing false positives.
@@ -52,7 +52,7 @@ trivy vm [flags] VM_IMAGE
--ignore-unfixed display only fixed vulnerabilities --ignore-unfixed display only fixed vulnerabilities
--ignorefile string specify .trivyignore file (default ".trivyignore") --ignorefile string specify .trivyignore file (default ".trivyignore")
--include-non-failures include successes, available with '--scanners misconfig' --include-non-failures include successes, available with '--scanners misconfig'
--java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [ghcr.io/aquasecurity/trivy-java-db:1]) --java-db-repository strings OCI repository(ies) to retrieve trivy-java-db in order of priority (default [mirror.gcr.io/aquasec/trivy-java-db:1,ghcr.io/aquasecurity/trivy-java-db:1])
--list-all-pkgs output all packages in the JSON report regardless of vulnerability --list-all-pkgs output all packages in the JSON report regardless of vulnerability
--misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot]) --misconfig-scanners strings comma-separated list of misconfig scanners to use for misconfiguration scanning (default [azure-arm,cloudformation,dockerfile,helm,kubernetes,terraform,terraformplan-json,terraformplan-snapshot])
--module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules") --module-dir string specify directory to the wasm modules that will be loaded (default "$HOME/.trivy/modules")

2
docs/docs/references/configuration/config-file.md
View File

@@ -105,6 +105,7 @@ db:
# Same as '--java-db-repository' # Same as '--java-db-repository'
java-repository: java-repository:
- mirror.gcr.io/aquasec/trivy-java-db:1
- ghcr.io/aquasecurity/trivy-java-db:1 - ghcr.io/aquasecurity/trivy-java-db:1
# Same as '--skip-java-db-update' # Same as '--skip-java-db-update'
@@ -115,6 +116,7 @@ db:
# Same as '--db-repository' # Same as '--db-repository'
repository: repository:
- mirror.gcr.io/aquasec/trivy-db:2
- ghcr.io/aquasecurity/trivy-db:2 - ghcr.io/aquasecurity/trivy-db:2
# Same as '--skip-db-update' # Same as '--skip-db-update'

5
pkg/db/db.go
View File

@@ -29,6 +29,10 @@ var (
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-db", db.SchemaVersion) DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-db", db.SchemaVersion)
defaultGHCRRepository = lo.Must(name.NewTag(DefaultGHCRRepository)) defaultGHCRRepository = lo.Must(name.NewTag(DefaultGHCRRepository))
// GCR mirror
DefaultGCRRepository = fmt.Sprintf("%s:%d", "mirror.gcr.io/aquasec/trivy-db", db.SchemaVersion)
defaultGCRRepository = lo.Must(name.NewTag(DefaultGCRRepository))
Init = db.Init Init = db.Init
Close = db.Close Close = db.Close
Path = db.Path Path = db.Path
@@ -73,6 +77,7 @@ func Dir(cacheDir string) string {
func NewClient(dbDir string, quiet bool, opts ...Option) *Client { func NewClient(dbDir string, quiet bool, opts ...Option) *Client {
o := &options{ o := &options{
dbRepositories: []name.Reference{ dbRepositories: []name.Reference{
defaultGCRRepository,
defaultGHCRRepository, defaultGHCRRepository,
}, },
} }

8
pkg/fanal/image/registry/google/google.go
View File

@@ -28,7 +28,15 @@ const gcrURLSuffix = ".gcr.io"
// Google artifact registry // Google artifact registry
const garURLSuffix = "-docker.pkg.dev" const garURLSuffix = "-docker.pkg.dev"
// Google mirror registry
const gmrURLDomain = "mirror.gcr.io"
func (g *Registry) CheckOptions(domain string, option types.RegistryOptions) (intf.RegistryClient, error) { func (g *Registry) CheckOptions(domain string, option types.RegistryOptions) (intf.RegistryClient, error) {
// We assume there is no chance that `mirror.gcr.io` will require authentication.
// So we need to skip `mirror.gcr.io` to avoid errors confusing users when downloading DB's.
if domain == gmrURLDomain {
return nil, xerrors.Errorf("mirror.gcr.io doesn't require authentication")
}
if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) { if domain != gcrURLDomain && !strings.HasSuffix(domain, gcrURLSuffix) && !strings.HasSuffix(domain, garURLSuffix) {
return nil, xerrors.Errorf("Google registry: %w", types.InvalidURLPattern) return nil, xerrors.Errorf("Google registry: %w", types.InvalidURLPattern)
} }

4
pkg/flag/db_flags.go
View File

@@ -53,13 +53,13 @@ var (
DBRepositoryFlag = Flag[[]string]{ DBRepositoryFlag = Flag[[]string]{
Name: "db-repository", Name: "db-repository",
ConfigName: "db.repository", ConfigName: "db.repository",
Default: []string{db.DefaultGHCRRepository}, Default: []string{db.DefaultGCRRepository, db.DefaultGHCRRepository},
Usage: "OCI repository(ies) to retrieve trivy-db in order of priority", Usage: "OCI repository(ies) to retrieve trivy-db in order of priority",
} }
JavaDBRepositoryFlag = Flag[[]string]{ JavaDBRepositoryFlag = Flag[[]string]{
Name: "java-db-repository", Name: "java-db-repository",
ConfigName: "db.java-repository", ConfigName: "db.java-repository",
Default: []string{javadb.DefaultGHCRRepository}, Default: []string{javadb.DefaultGCRRepository, javadb.DefaultGHCRRepository},
Usage: "OCI repository(ies) to retrieve trivy-java-db in order of priority", Usage: "OCI repository(ies) to retrieve trivy-java-db in order of priority",
} }
LightFlag = Flag[bool]{ LightFlag = Flag[bool]{

14
pkg/flag/db_flags_test.go
View File

@@ -66,10 +66,16 @@ func TestDBFlagGroup_ToOptions(t *testing.T) {
{ {
name: "multiple repos", name: "multiple repos",
fields: fields{ fields: fields{
SkipDBUpdate: true, SkipDBUpdate: true,
DownloadDBOnly: false, DownloadDBOnly: false,
DBRepository: []string{"ghcr.io/aquasecurity/trivy-db:2", "gallery.ecr.aws/aquasecurity/trivy-db:2"}, DBRepository: []string{
JavaDBRepository: []string{"ghcr.io/aquasecurity/trivy-java-db:1", "gallery.ecr.aws/aquasecurity/trivy-java-db:1"}, "mirror.gcr.io/aquasec/trivy-db:2",
"ghcr.io/aquasecurity/trivy-db:2",
},
JavaDBRepository: []string{
"mirror.gcr.io/aquasec/trivy-java-db:1",
"ghcr.io/aquasecurity/trivy-java-db:1",
},
}, },
want: flag.DBOptions{ want: flag.DBOptions{
SkipDBUpdate: true, SkipDBUpdate: true,

3
pkg/javadb/client.go
View File

@@ -29,6 +29,9 @@ const (
var ( var (
// GitHub Container Registry // GitHub Container Registry
DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-java-db", SchemaVersion) DefaultGHCRRepository = fmt.Sprintf("%s:%d", "ghcr.io/aquasecurity/trivy-java-db", SchemaVersion)
// GCR mirrors
DefaultGCRRepository = fmt.Sprintf("%s:%d", "mirror.gcr.io/aquasec/trivy-java-db", SchemaVersion)
) )
var updater *Updater var updater *Updater