CI: Update Trivy DB (#38397)

sagar-qa007 · web-flow · commit 8da8e454d54f · 2024-12-30T12:54:27.000+05:30
## Description Update trivy db download failure. Fixes # https://app.zenhub.com/workspaces/stability-pod-6690c4814e31602e25cab7fd/issues/gh/appsmithorg/appsmith/38398 Tested: https://github.com/appsmithorg/appsmith/actions/runs/12543112349 ## Automation /ok-to-test tags="" ### 🔍 Cypress test results  > [!CAUTION] > If you modify the content in this section, you are likely to disrupt the CI result for your PR.  ## Communication Should the DevRel and Marketing teams inform users about this change? - [ ] Yes - [x] No  ## Summary by CodeRabbit - **New Features** - Enhanced script to automatically download Trivy vulnerability database if not present - Added capability to create and manage temporary database download directory - **Chores** - Cleaned up script by removing unnecessary line
diff --git a/scripts/trivy_vulnerabilities_data.sh b/scripts/trivy_vulnerabilities_data.sh
@@ -71,14 +71,22 @@ case "$IMAGE" in
     *) product_name="UNKNOWN" ;;
 esac
 
+# Download Trivy DB if necessary
+if [ ! -d "$HOME/.cache/trivy/db" ]; then
+  echo "Trivy DB not found. Downloading..."
+  TRIVY_TEMP_DIR=$(mktemp -d)
+  trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+  tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+  rm -rf $TRIVY_TEMP_DIR
+fi
+
 # Run Trivy scan
 echo "Running Trivy scan for image: $IMAGE..."
 trivy image --db-repository public.ecr.aws/aquasecurity/trivy-db --java-db-repository public.ecr.aws/aquasecurity/trivy-java-db --insecure --format json "$IMAGE" > "trivy_vulnerabilities.json" || {
     echo "Error: Trivy scan failed for image: $IMAGE"
     exit 1
 }
 
-
 # Process vulnerabilities and generate CSV
 if jq -e '.Results | length > 0' "trivy_vulnerabilities.json" > /dev/null; then
     jq -r --arg product "$product_name" '.Results[]? | .Vulnerabilities[]? | "\(.VulnerabilityID),\($product),TRIVY,\(.Severity)"' "trivy_vulnerabilities.json" | sort -u > "$NEW_VULN_FILE"
