trivy
trivy copied to clipboard
aquasecurity
fix(cli): make java db repository configurable
Description
This implements an additional --java-db-repository option to allow users to specify a custom Java DB repository. This is useful for users who want to use a custom Java DB repository, such as a private repository mirror like Artifactory or other private registries. It will also print the Java DB repository - even if it's the default - to make it clear to the user which Java DB repository is being used.
I've updated the documentation to reflect this new option, as well as the existing tests for the JAR file scanner.
Before
Scanning an image containing JAR files will print the following:
$ trivy image tomcat:9.0.71-jdk8
2023-02-11T15:12:30.064+0100 INFO Need to update DB
2023-02-11T15:12:30.064+0100 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-02-11T15:12:30.064+0100 INFO Downloading DB...
...
2023-02-11T15:12:33.442+0100 INFO Vulnerability scanning is enabled
2023-02-11T15:12:33.442+0100 INFO Secret scanning is enabled
2023-02-11T15:12:33.442+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-11T15:12:33.442+0100 INFO Please see also https://aquasecurity.github.io/trivy/v0.37/docs/secret/scanning/#recommendation for faster secret detection
2023-02-11T15:12:37.627+0100 INFO JAR files found
2023-02-11T15:12:37.627+0100 INFO Downloading the Java DB...
...
After
Scanning the same image with a custom Java DB repository will print the following:
$ trivy image --java-db-repository ghcr.io/nobbs/trivy-java-db tomcat:9.0.71-jdk8
2023-02-11T15:10:16.681+0100 INFO Need to update DB
2023-02-11T15:10:16.682+0100 INFO DB Repository: ghcr.io/aquasecurity/trivy-db
2023-02-11T15:10:16.682+0100 INFO Downloading DB...
...
2023-02-11T15:10:19.858+0100 INFO Vulnerability scanning is enabled
2023-02-11T15:10:19.858+0100 INFO Secret scanning is enabled
2023-02-11T15:10:19.858+0100 INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2023-02-11T15:10:19.858+0100 INFO Please see also https://aquasecurity.github.io/trivy/dev/docs/secret/scanning/#recommendation for faster secret detection
2023-02-11T15:10:23.631+0100 INFO JAR files found
2023-02-11T15:10:23.632+0100 INFO Java DB Repository: ghcr.io/nobbs/trivy-java-db:1
2023-02-11T15:10:23.632+0100 INFO Downloading the Java DB...
...
The help text for scans supporting the --java-db-repository option will now print the following:
$ trivy image --help
...
DB Flags
--db-repository string OCI repository to retrieve trivy-db from (default "ghcr.io/aquasecurity/trivy-db")
--download-db-only download/update vulnerability database but don't run a scan
--download-java-db-only download/update Java index database but don't run a scan
--java-db-repository string OCI repository to retrieve trivy-java-db from (default "ghcr.io/aquasecurity/trivy-java-db")
--no-progress suppress progress bar
--reset remove all caches and database
--skip-db-update skip updating vulnerability database
--skip-java-db-update skip updating Java index database
...
Related issues
- Close #3545 Partially, this does not implement any authentication functionality mentioned in that issue.
Related PRs
None
Checklist
- [x] I've read the guidelines for contributing to this repository.
- [x] I've followed the conventions in the PR title.
- [x] I've added tests that prove my fix is effective or that my feature works.
- [x] I've updated the documentation with the relevant information (if needed).
- [x] I've added usage information (if the PR introduces new options)
- [x] I've included a "before" and "after" example to the description (if the PR is a user interface change).
