fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956 )

fix(misconf): update BurntSushi/toml for fix runtime error (#1948 )
fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947 )
2025-12-20 22:33:53 -08:00 · 2022-04-06 08:51:45 +03:00 · 2022-04-05 21:13:33 +03:00 · 2022-04-05 20:40:04 +03:00 · 2022-04-05 19:02:39 +03:00 · 2022-04-05 16:36:51 +03:00
7 changed files with 57 additions and 30 deletions
--- a/.github/workflows/publish-chart.yaml
+++ b/.github/workflows/publish-chart.yaml
@@ -23,11 +23,11 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v3 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install Helm
-        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab #v1.1
+        uses: azure/setup-helm@18bc76811624f360dbd7f18c2d4ecb32c7b87bab
        with:
          version: v3.5.0
      - name: Set up python
@@ -36,9 +36,9 @@ jobs:
          python-version: 3.7
      - name: Setup Chart Linting
        id: lint
-        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a #v2.1.0
+        uses: helm/chart-testing-action@dae259e86a35ff09145c0805e2d7dd3f7207064a
      - name: Setup Kubernetes cluster (KIND)
-        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478 #v1.2.0
+        uses: helm/kind-action@94729529f85113b88f4f819c17ce61382e6d8478
        with:
          version: ${{ env.KIND_VERSION }}
          image: ${{ env.KIND_IMAGE }}
@@ -56,7 +56,7 @@ jobs:
    runs-on: ubuntu-20.04
    steps:
      - name: Checkout
-        uses: actions/checkout@v3 #v2.4.0
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579
        with:
          fetch-depth: 0
      - name: Install chart-releaser
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -21,7 +21,7 @@ jobs:
        run: |
          sudo apt-get -y update
          sudo apt-get -y install rpm reprepro createrepo distro-info
-      - uses: sigstore/cosign-installer@581838fbedd492d2350a9ecd427a95d6de1e5d01 # pin@v2.0.0
+      - uses: sigstore/cosign-installer@51f8e5c6fce54e46006ae97d73b2b6315f518752
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v1
      - name: Set up Docker Buildx
--- a/docs/docs/references/troubleshooting.md
+++ b/docs/docs/references/troubleshooting.md
@@ -39,7 +39,7 @@ https://developer.github.com/v3/#rate-limiting
 $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
 ```

-### Maven rate limiting
+### Maven rate limiting / inconsistent jar vulnerability reporting

 !!! error
    ``` bash
@@ -49,14 +49,41 @@ $ GITHUB_TOKEN=XXXXXXXXXX trivy alpine:3.10
    ```

 Trivy calls Maven API for better detection of JAR files, but many requests may exceed rate limiting.
-If it happens frequently, try the `--offline-scan` option to stop Trivy from making API requests.
+This can easily happen if you are running more than one instance of Trivy which is concurrently scanning multiple images.
+Once this starts happening Trivy's vulnerability reporting on jar files may become inconsistent.
+There are two options to resolve this issue:
+
+The first is to enable offline scanning using the `--offline-scan` option to stop Trivy from making API requests.
 This option affects only vulnerability scanning. The vulnerability database and builtin policies are downloaded as usual.
 If you want to skip them as well, you can try `--skip-update` and `--skip-policy-update`.
+**Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.**
+
+The second, more scalable, option is the place Trivy behind a rate-limiting forward-proxy to the Maven Central API.
+One way to achieve this is to use nginx. You can use the following nginx config to enable both rate-limiting and caching (the caching greatly reduces the number of calls to the Maven Central API, especially if you are scanning a lot of similar images):
+
+```nginx
+limit_req_zone global zone=maven:1m rate=10r/s;
+proxy_cache_path /tmp/cache keys_zone=mavencache:10m;
+
+server {
+  listen 80;
+  proxy_cache mavencache;
+
+  location / {
+    limit_req zone=maven burst=1000;
+    proxy_cache_valid any 1h;
+    proxy_pass https://search.maven.org:443;
+  }
+}
+```
+
+This config file will allow a maximum of 10 requests per second to the Maven API, this number was determined experimentally so you might want to use something else if it doesn't fit your needs.
+
+Once nginx is up and running, you need to tell all your Trivy deployments to proxy their Maven API calls through nginx. You can do this by setting the `MAVEN_CENTRAL_URL` environment variable. For example, if your nginx proxy is running at `127.0.0.1`, you can set `MAVEN_CENTRAL_URL=http://127.0.0.1/solrsearch/select`.

-Note that a number of vulnerabilities might be fewer than without the `--offline-scan` option.

 ### Running in parallel takes same time as series run
-When running trivy on multiple images simultaneously, it will take same time as running trivy in series.  
+When running trivy on multiple images simultaneously, it will take same time as running trivy in series.
 This is because of a limitation of boltdb.
 > Bolt obtains a file lock on the data file so multiple processes cannot open the same database at the same time. Opening an already open Bolt database will cause it to hang until the other process closes it.

@@ -130,4 +157,4 @@ Try again with `--reset` option:
 $ trivy image --reset
 ```

-[air-gapped]: ../how-to-guides/air-gap.md
+[air-gapped]: ../how-to-guides/air-gap.md
--- a/go.mod
+++ b/go.mod
@@ -7,8 +7,8 @@ require (
 	github.com/Masterminds/sprig/v3 v3.2.2
 	github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46
 	github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986
-	github.com/aquasecurity/fanal v0.0.0-20220404155252-996e81f58b02
-	github.com/aquasecurity/go-dep-parser v0.0.0-20220302151315-ff6d77c26988
+	github.com/aquasecurity/fanal v0.0.0-20220405131907-55a9aabfbe72
+	github.com/aquasecurity/go-dep-parser v0.0.0-20220404084355-b8c54558919c
 	github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce
 	github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798
 	github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46
@@ -51,7 +51,7 @@ require (
 require (
 	cloud.google.com/go v0.99.0 // indirect
 	cloud.google.com/go/storage v1.14.0 // indirect
-	github.com/Azure/azure-sdk-for-go v62.0.0+incompatible // indirect
+	github.com/Azure/azure-sdk-for-go v63.0.0+incompatible // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 // indirect
 	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
 	github.com/Azure/go-autorest/autorest v0.11.25 // indirect
@@ -61,7 +61,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.0.0 // indirect
+	github.com/BurntSushi/toml v1.1.0 // indirect
 	github.com/GoogleCloudPlatform/docker-credential-gcr v2.0.5+incompatible // indirect
 	github.com/Masterminds/goutils v1.1.1 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
@@ -75,7 +75,7 @@ require (
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-cidr v1.1.0 // indirect
 	github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
-	github.com/aquasecurity/defsec v0.28.3 // indirect
+	github.com/aquasecurity/defsec v0.28.4 // indirect
 	github.com/aquasecurity/tfsec v1.8.0 // indirect
 	github.com/aws/aws-sdk-go v1.43.31 // indirect
 	github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
--- a/go.sum
+++ b/go.sum
@@ -78,8 +78,8 @@ github.com/Azure/azure-sdk-for-go v30.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo
 github.com/Azure/azure-sdk-for-go v35.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v38.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v42.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v62.0.0+incompatible h1:8N2k27SYtc12qj5nTsuFMFJPZn5CGmgMWqTy4y9I7Jw=
-github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/azure-sdk-for-go v63.0.0+incompatible h1:whPsa+jCHQSo5wGMPNLw4bz8q9Co2+vnXHzXGctoTaQ=
+github.com/Azure/azure-sdk-for-go v63.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-service-bus-go v0.9.1/go.mod h1:yzBx6/BUGfjfeqbRZny9AQIbIe3AcV9WZbAdpkoXOa0=
 github.com/Azure/azure-storage-blob-go v0.8.0/go.mod h1:lPI3aLPpuLTeUwh1sViKXFxwl2B6teiRqI0deQUvsw0=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78 h1:w+iIsaOQNcT7OZ575w+acHgRric5iCyQh+xv+KJ4HB8=
@@ -136,9 +136,8 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v0.4.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
-github.com/BurntSushi/toml v1.0.0 h1:dtDWrepsVPfW9H/4y7dDgFc2MBUSeJhlaDtK13CxFlU=
-github.com/BurntSushi/toml v1.0.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
+github.com/BurntSushi/toml v1.1.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/CycloneDX/cyclonedx-go v0.5.0 h1:RWCnu2OrWUTF5C9DA3L0qVziUD2HlxSUWcL2OXlxfqE=
 github.com/CycloneDX/cyclonedx-go v0.5.0/go.mod h1:nQXAzrejxO39b14JFz2SvsUElegYfwBDowIzqjdUMk4=
@@ -236,12 +235,12 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986 h1:2a30xLN2sUZcMXl50hg+PJCIDdJgIvIbVcKqLJ/ZrtM=
 github.com/aquasecurity/bolt-fixtures v0.0.0-20200903104109-d34e7f983986/go.mod h1:NT+jyeCzXk6vXR5MTkdn4z64TgGfE5HMLC8qfj5unl8=
-github.com/aquasecurity/defsec v0.28.3 h1:OKHgRDIUEVCMPUuCJR3V2FmEe/f9gadjUCBcUXjlNJY=
-github.com/aquasecurity/defsec v0.28.3/go.mod h1:vUdThwusBM7y1gJ7CVX3+h3bsPvpmOIEp3NEdzTDkhA=
-github.com/aquasecurity/fanal v0.0.0-20220404155252-996e81f58b02 h1:Ptpnq9BA0kkFeHtIRmRiiq7SwGzX90ZZodw707cAskM=
-github.com/aquasecurity/fanal v0.0.0-20220404155252-996e81f58b02/go.mod h1:1hHGpqNoLX+qV9S4Tdjh3ivHhojHo2WZiOfAuEmUmfQ=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220302151315-ff6d77c26988 h1:Hd6q0/VF/bC/MT1K/63W2u5ChRIy6cPSQk0YbJ3Vcb8=
-github.com/aquasecurity/go-dep-parser v0.0.0-20220302151315-ff6d77c26988/go.mod h1:XxIz2s4UymZBcg9WwAc2km77lFt9rVE/LmKJe2YVOtY=
+github.com/aquasecurity/defsec v0.28.4 h1:O0ukf2uMEqRRX3EHfu+9J0EyD39v50NDjwtf96nES8E=
+github.com/aquasecurity/defsec v0.28.4/go.mod h1:vUdThwusBM7y1gJ7CVX3+h3bsPvpmOIEp3NEdzTDkhA=
+github.com/aquasecurity/fanal v0.0.0-20220405131907-55a9aabfbe72 h1:l3SfWKUQfVjk1CgalJk72VZXj/qKFRpl7ocJ886Kxnc=
+github.com/aquasecurity/fanal v0.0.0-20220405131907-55a9aabfbe72/go.mod h1:U6GYthD79clhp00Eqys2wOG+NgVbDi1/gVCQp1x7DM8=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220404084355-b8c54558919c h1:NGIklGx3comWl9rdrDtIWCPBrX9fIOR1bo3aBJfY6ps=
+github.com/aquasecurity/go-dep-parser v0.0.0-20220404084355-b8c54558919c/go.mod h1:Tgqzk/cfFdjQTsz711GlFe8ugnTKKEwrsnL8DY0f4kA=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce h1:QgBRgJvtEOBtUXilDb1MLi1p1MWoyFDXAu5DEUl5nwM=
 github.com/aquasecurity/go-gem-version v0.0.0-20201115065557-8eed6fe000ce/go.mod h1:HXgVzOPvXhVGLJs4ZKO817idqr/xhwsTcj17CLYY74s=
 github.com/aquasecurity/go-npm-version v0.0.0-20201110091526-0b796d180798 h1:eveqE9ivrt30CJ7dOajOfBavhZ4zPqHcZe/4tKp0alc=
@@ -1604,7 +1603,6 @@ go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
 go.uber.org/zap v1.17.0/go.mod h1:MXVU+bhUf/A7Xi2HNOnopQOrmycQ5Ih87HtOu4q5SSo=
-go.uber.org/zap v1.20.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8=
 go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw=
 go4.org v0.0.0-20180809161055-417644f6feb5/go.mod h1:MkTOUMDaeVYJUOUsaDXIhWPZYa1yOyC1qaOBpL57BhE=
--- a/helm/trivy/Chart.yaml
+++ b/helm/trivy/Chart.yaml
@@ -1,7 +1,7 @@
 apiVersion: v2
 name: trivy
-version: 0.4.12
-appVersion: 0.24.0
+version: 0.4.13
+appVersion: 0.25.0
 description: Trivy helm chart
 keywords:
  - scanner
--- a/pkg/commands/app.go
+++ b/pkg/commands/app.go
@@ -539,6 +539,7 @@ func NewRootfsCommand() *cli.Command {
 			&ignorePolicy,
 			&listAllPackages,
 			&offlineScan,
+			&dbRepositoryFlag,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 			stringSliceFlag(configPolicy),
@@ -582,6 +583,7 @@ func NewRepositoryCommand() *cli.Command {
 			&listAllPackages,
 			&offlineScan,
 			&insecureFlag,
+			&dbRepositoryFlag,
 			stringSliceFlag(skipFiles),
 			stringSliceFlag(skipDirs),
 		},
Author	SHA1	Message	Date
DmitriyLewen	d4e3df81e8	fix(downloadDB): add dbRepositoryFlag to repository and rootfs commands (#1956 )	2022-04-06 08:51:45 +03:00
afdesk	7e48cc1f4d	fix(misconf): update BurntSushi/toml for fix runtime error (#1948 )	2022-04-05 21:13:33 +03:00
Liam Galvin	c9efa8c479	fix(misconf): Update fanal/defsec to resolve missing metadata issues (#1947 ) Signed-off-by: Liam Galvin <liam.galvin@aquasec.com>	2022-04-05 20:40:04 +03:00
Kobus van Schoor	52b715421e	feat(jar): allow setting Maven Central URL using environment variable (#1939 ) * chore(deps): update fanal/go-dep-parser to allow setting maven central url * docs(troubleshooting): Add documentation for MAVEN_CENTRAL_URL option	2022-04-05 19:02:39 +03:00
Dennis Irsigler	21f7a41b27	chore(chart): update Trivy version in HelmChart to 0.25.0 (#1931 ) Signed-off-by: Dennis Irsigler <dennis.irsigler@metro-markets.de>	2022-04-05 16:36:51 +03:00
Teppei Fukuda	ff2b3d176d	chore(chart): remove version comments (#1933 ) Co-authored-by: Carol Valencia <8355621+krol3@users.noreply.github.com>	2022-04-05 16:22:19 +03:00