CI: Update Trivy DB

[sagar-qa007]

Description

Update trivy db download failure.

Fixes # https://app.zenhub.com/workspaces/stability-pod-6690c4814e31602e25cab7fd/issues/gh/appsmithorg/appsmith/38398

Tested: https://github.com/appsmithorg/appsmith/actions/runs/12543112349

Automation

/ok-to-test tags=""

🔍 Cypress test results

Caution

If you modify the content in this section, you are likely to disrupt the CI result for your PR.

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

• New Features

  • Enhanced script to automatically download Trivy vulnerability database if not present
  • Added capability to create and manage temporary database download directory

• Chores

  • Cleaned up script by removing unnecessary line

[coderabbitai]

Walkthrough

The pull request modifies the trivy_vulnerabilities_data.sh script to improve its database handling capabilities. The script now includes a mechanism to download the Trivy vulnerability database if it's not already present in the system. This enhancement ensures that the necessary database files are available for Trivy scanning operations by creating a temporary directory, downloading the database, and packaging it into a tarball before cleaning up.

Changes

File	Change Summary
scripts/trivy_vulnerabilities_data.sh	Added conditional database download logic for Trivy, creating a temp directory and downloading database if not existing

Possibly related PRs

• chore: New schema change for vulnerabilities test #37204: Modifies test-vulnerabilities-data.yml workflow, directly related to Trivy vulnerability data handling
• chore: Update for workflow name #37696: Updates test-vulnerabilities-data.yml workflow, focusing on vulnerability checks
• chore: Minor change for log in workflow #37346: Enhances test-vulnerabilities-data.yml workflow for Trivy vulnerability detection

Suggested labels

Bug, ok-to-test

Suggested reviewers

• sharat87
• ApekshaBhosale

Poem

🕵️ Trivy's database, once elusive and shy
Now downloads with grace, no need to sigh
A script so clever, it fetches with care
Vulnerability data beyond compare!
🔍 Security's dance, a digital delight

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f9664a3 and dada16f.

📒 Files selected for processing (1)

• scripts/trivy_vulnerabilities_data.sh (1 hunks)

[coderabbitai]

🛠️ Refactor suggestion

Add error handling and space verification for database download.

The database download logic looks good, but could benefit from additional safeguards.

Apply this diff to add error handling and space checks:

 # Download Trivy DB if necessary
 if [ ! -d "$HOME/.cache/trivy/db" ]; then
   echo "Trivy DB not found. Downloading..."
+  # Check for sufficient disk space (at least 500MB free)
+  free_space=$(df -m . | awk 'NR==2 {print $4}')
+  if [ "$free_space" -lt 500 ]; then
+    echo "Error: Insufficient disk space. Need at least 500MB free."
+    exit 1
+  fi
   TRIVY_TEMP_DIR=$(mktemp -d)
-  trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
+  if ! trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only; then
+    echo "Error: Failed to download Trivy database"
+    rm -rf "$TRIVY_TEMP_DIR"
+    exit 1
+  fi
-  tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
+  if ! tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db; then
+    echo "Error: Failed to create database archive"
+    rm -rf "$TRIVY_TEMP_DIR"
+    exit 1
+  fi
   rm -rf $TRIVY_TEMP_DIR
 fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Download Trivy DB if necessary
	if [ ! -d "$HOME/.cache/trivy/db" ]; then
	echo "Trivy DB not found. Downloading..."
	TRIVY_TEMP_DIR=$(mktemp -d)
	trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only
	tar -cf ./db.tar.gz -C $TRIVY_TEMP_DIR/db metadata.json trivy.db
	rm -rf $TRIVY_TEMP_DIR
	fi
	# Download Trivy DB if necessary
	if [ ! -d "$HOME/.cache/trivy/db" ]; then
	echo "Trivy DB not found. Downloading..."
	# Check for sufficient disk space (at least 500MB free)
	free_space=$(df -m . | awk 'NR==2 {print $4}')
	if [ "$free_space" -lt 500 ]; then
	echo "Error: Insufficient disk space. Need at least 500MB free."
	exit 1
	fi
	TRIVY_TEMP_DIR=$(mktemp -d)
	if ! trivy --cache-dir "$TRIVY_TEMP_DIR" image --download-db-only; then
	echo "Error: Failed to download Trivy database"
	rm -rf "$TRIVY_TEMP_DIR"
	exit 1
	fi
	if ! tar -cf ./db.tar.gz -C "$TRIVY_TEMP_DIR/db" metadata.json trivy.db; then
	echo "Error: Failed to create database archive"
	rm -rf "$TRIVY_TEMP_DIR"
	exit 1
	fi
	rm -rf $TRIVY_TEMP_DIR
	fi

---

💡 Codebase verification

Database download logic needs error handling

The script has two issues that need attention:

• The database download command lacks error handling, which could lead to silent failures
• The downloaded database isn't used as the scan explicitly uses ECR repositories

Suggested fixes:

• Add error handling to the download: trivy --cache-dir $TRIVY_TEMP_DIR image --download-db-only || { echo "Error: DB download failed"; exit 1; }
• Remove the DB download block since the scan uses remote repositories anyway

🔗 Analysis chain

Verify database usage in vulnerability scanning.

The downloaded database should be properly utilized by the subsequent Trivy scan command.

Run this script to verify database usage:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify that the Trivy scan command uses the downloaded database.

# Check if the scan command references any custom database paths
rg --type sh 'trivy\s+.*(?:--cache-dir|--db-repository)' .

# Check for any Trivy configuration files that might override database settings
fd -t f -e yaml -e yml trivy

Length of output: 430

---

Script:

#!/bin/bash
# Let's verify the complete database handling logic in the script

# Check the full context of database usage
rg -A 10 -B 5 'trivy.*--cache-dir' scripts/trivy_vulnerabilities_data.sh

# Check if there's any error handling for the database download
rg 'trivy.*download-db-only.*(\|\||&&|;)' scripts/trivy_vulnerabilities_data.sh

# Check if the downloaded database is actually used in the scan
rg -A 5 'trivy image.*--db-repository' scripts/trivy_vulnerabilities_data.sh

Length of output: 1180

[NandanAnantharamu]

lgtm